Quinn Galsuk, the University of Minnesota’s chief auditor, told the Board of Regents’ Audit and Compliance Committee that the Office of Internal Audit (OIA) provides assurance over university risk, conducts investigations and advisory services, and reports functionally to the committee while administratively reporting to board leadership.

Galsuk said OIA is the university’s only internal audit function and described how it coordinates with external auditors — including CliftonLarsonAllen for the financial statement audit and uniform guidance reviews — as well as the Minnesota Office of the Legislative Auditor and various federal agency auditors. “When you think about internal audit, I want you to think about us as the third line of defense,” Galsuk said, describing OIA’s role in confirming that operational units (the first line) and policy/oversight functions (the second line) are operating effectively.

The nut of Galsuk’s briefing was how OIA selects, conducts and reports audits. She said the office’s audit plan is developed annually through broad consultation with more than 100 senior leaders and is presented to the committee in June for board approval. The audit plan is divided into two tiers: Tier 1 audits are those OIA intends to complete; Tier 2 audits are intended but more likely to be swapped out if priorities or staffing change. OIA weighs internal input alongside external trends at peer institutions and federal audit activity when assessing risk and scoping audits.

Galsuk described OIA’s staffing and structure: 16 auditors in the office, led by three audit directors and an associate audit director; nine financial/operational auditors; two IT auditors; and a senior data analyst. One auditor is based on the Duluth campus; the rest are on the Twin Cities campus. She said audit work is performed in three phases — planning, field work and reporting — and that issues rated high or medium are included in reports along with management action plans provided by unit leaders.

OIA uses an overall rating scale for audit conclusions — good, adequate or needs improvement — and provides a control chart tied to COSO, the university’s control framework approved by board policy. Galsuk explained that the office follows Institute of Internal Auditor (IIA) standards and noted the IIA updated its standards in 2025; OIA updated its charter and report formats to remain aligned. She said OIA will follow up on high-risk findings until they are remediated or the risk is formally accepted and that the committee receives follow-up reports three times a year.

Galsuk summarized the office’s most recent external quality assessment review, conducted in 2024 by chief auditors from Virginia Tech, University of Washington, Rutgers and Boston University. The team found that OIA “generally conforms” to IIA standards, which Galsuk noted is the highest possible rating under the QAR framework, and provided opportunities for improvement that OIA addressed and reviewed with the committee in May 2025.

She described several process changes adopted after the QAR and the 2025 IIA standards update, including a simplified risk-rating scheme (high, medium, low), an updated audit report format and new follow-up metrics and trend visualizations. Galsuk said the office is also reviewing potential technology replacements to replace aging tools such as custom Access databases and an entry-level automated work-paper system.

Galsuk emphasized limits on OIA’s authority and management responsibility: while OIA issues recommendations, “management can address risk any way in which it sees fit,” she said. She also reminded the committee that most audit reports are public documents, with narrow exceptions — for example, reports that contain sensitive information about information-security vulnerabilities.

The presentation included historical and operational context: OIA was established in 1929, is a founding member of the Association of College and University Auditors, and is housed in the Westbank Office Building. Galsuk closed by inviting committee members to raise questions at the committee meeting on Oct. 9.