The first article in this series explores how internal audit, compliance and risk functions can evolve from risk oversight roles into true strategic partners, help institutions not only safeguard resources but also actively drive transformation. As colleges and universities navigate shrinking budgets, demographic headwinds and intensifying scrutiny, the question of accountability becomes even more critical. Who, exactly, are internal audit, compliance and risk functions serving, and how should that answer shape their role in higher education's future? In this context, institutions must grapple with whether these functions are being positioned too narrowly (i.e., as checkers of compliance or as arms of the board) instead of as enterprise levers that inform decision-making and advance institutional priorities. Raising this question up front is essential, because the way accountability is defined will determine whether these functions remain primarily defensive or become contributors to broader strategic and operational effectiveness.
This article examines how a more expansive view of accountability can frame their purpose more productively and set the conditions for higher-value contributions.
The rules we must follow
At a foundational level, risk oversight functions are grounded in well-established frameworks.
The Institute of Internal Auditor's (IIA) Global Internal Audit Standards (GIAS) defines internal audit's purpose as strengthening the organization's ability to create, protect and sustain value by providing the board and management with independent, risk-based and objective assurance, advice, insight and foresight. These standards, when effectively operationalized (i.e., through a charter that establishes internal audit functionally reporting to the board with administrative reporting to management), anchor internal audit in objectively and independence, ensuring the function remains accountable to the governing board or audit committee while also providing holistic value to the institution.
Compliance, by contrast, operates under its own set of professional and regulatory expectations. At its core, compliance is responsible for ensuring that institutions adhere to laws, regulations and internal policies. This includes monitoring, training, reporting and advising management on the design of effective controls. While compliance is less standardized globally than internal audit, higher education compliance programs often draw from frameworks such as the Department of Justice's Federal Sentencing Guidelines for Effective Compliance Programs, as well as specific federal and state regulatory requirements (e.g., Title IX, Clery Act, research compliance). The role of compliance is proactive and operational, embedded in day-to-day processes to help prevent violations and reinforce institutional integrity. While a part of management, compliance functions also typically have a level of accountability (and increasingly reporting lines) to a board-level committee.
Enterprise risk management (ERM) is guided by frameworks such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management Integrated Framework and subsequent iteration, which emphasizes that risk management is not a standalone exercise but a core component of strategy and decision-making. In higher education, this means ERM's purpose extends beyond identifying and ranking risks. It seeks to foster a culture of informed decision-making, where risks are understood, discussed and managed in alignment with institutional objectives. A mature ERM function facilitates a shared language for risk across academic and administrative units, links risk appetite to strategic planning and provides leadership and boards with visibility into the issues that could impact mission success. When effectively implemented, ERM becomes the connective tissue between risk oversight functions and strategy, ensuring that institutional priorities are pursued with both agility and accountability (often supported by reporting to a board-level committee).
The IIA's Three Lines Model helps clarify how these functions relate. Compliance and risk typically sit in the second line of defense, responsible for monitoring risks and supporting management in its control responsibilities. Internal audit, by contract, sits in the third line, providing independent assurance to the board and senior leadership on the adequacy and effectiveness of governance, risk management and controls. While distinct in purpose and reporting, all three functions often engage with the same risks, making coordination not just beneficial but essential.
These professional standards and roles matter because they provide guidance for obligations and boundaries, which are formalized in charters for each function. Yet, higher education's accountability ecosystem is complex, and the work of internal audit, compliance and risk is not performed in isolation; it intersects with students, faculty, regulators and funders, each of whom expects institutions to deliver on their mission with integrity and transparency.
Multiple stakeholders, competing expectations
Complexity surrounds the entire accountability environment in higher education. Students and families demand a quality of education and value for their investment. Faculty desire academic freedom, resources and support for teaching and research. Regulators and accreditors require compliance with standards, while donors expect funding stewardship and measurable impact. Each group's expectations are valid, but they do not always align.
Internal audit, compliance and risk functions, while distinct, are deeply enmeshed in this ecosystem. They often look at the same risks (e.g., enrollment, student success, financial stewardship, data integrity) but from different vantage points. Compliance provides proactive monitoring and support; risk supports the minimization of threats through identification, assessment, management and monitoring; while internal audit brings an independent, retrospective and forward-looking assessment. When these roles are coordinated, they offer a more holistic view of accountability and risk alignment. When they are siloed, duplication, gaps and confusion often follow.
Protecting trust, enabling strategy
The key is to reimagine accountability as both compliance-driven and mission-driven. Internal functions must help the institution walk this line. That means not just checking the box on policies or internal audits but actively contributing to the preservation and rebuilding of public trust. In doing so, internal audit, compliance and risk functions can help identify where the institution's systems, structures and culture may need to evolve, illuminating practical opportunities to strengthen governance, improve efficiency and align operations with both leading industry practices and institutional mission.
Here is where the traditional definition of internal auditing must advance. Internal audit will always remain independent, objective and accountable to the board. But if we stop there, we miss the larger truth: that risk oversight functions ultimately exist to serve the institution's mission and the stakeholders who depend on it. In practice, that means internal audit, compliance and risk are not simply guardians of the past, but strategic allies for the future. By translating risk oversight insights into actionable recommendations that reflect the institution's unique context, its culture, governance model and operational realities, internal audit can help leadership see not just what needs fixing, but what needs evolving.
In today's environment, accountability is not a defensive posture. It is a proactive strategy. Institutions that can demonstrate strong governance, transparent decision-making and credible risk oversight practices will be better positioned to maintain funding, recruit students and fulfill their mission. Internal audit, compliance and risk functions are uniquely positioned to provide this connective tissue, bringing clarity to who is accountable for what and ensuring decisions align with both regulatory requirements and institutional values.
Clarifying accountability structures
To effectively serve in their respective roles, internal audit, compliance and risk leaders must help sharpen the institution's accountability framework. In practice, this means not only defining who is responsible for what but also helping the institution transform its structure and processes to support that accountability. When these functions illuminate misalignments or inefficiencies, they provide leaders with a road map for practical change that respects the institution's culture while driving progress. This includes:
Clarifying decision rights:
Who owns compliance risk versus strategic risks, and where does accountability ultimately sit?
Connecting risk oversight to mission:
Frame internal audits, reviews and compliance testing not as isolated exercises, but as mechanisms to advance student success, equity and institutional sustainability.
Bridge silos:
Join forces across finance, academic affairs and student services to create integrated accountability structures that reflect the interconnected nature of higher ed operations.
Reinforce culture:
Embed accountability into daily practice by aligning training, policies and communications with the institution's values and strategic objectives.
Respect independence while fostering coordination:
Maintain internal audit's objectivity and reporting line to the board, while ensuring collaboration with compliance and management to reduce duplication and provide a unified view of risks.
Moving toward a broader view of accountability
When accountability is defined too narrowly, either as pure compliance or as service exclusively to the board, institutions risk missing the bigger picture. By embracing a broader model. one rooted in professional standards but oriented toward mission, strategy and trust, internal audit, compliance and risk functions can serve as catalysts for institutional resilience. This expanded approach enables institutions not only to meet their obligations, but to adapt more nimbly, strengthen operations and demonstrate responsible innovation in an era of scrutiny.
Higher education's stakeholders are watching closely. The question is not only whether institutions comply, but whether they live up to their promises. Reimagined accountability helps ensure the answer to both is, "yes".
Looking ahead
If accountability answers the question "who do we serve?" then integration asks, "how do we best serve them?". In our third article in this series, we will examine how internal audit, compliance and how risk functions can move from parallel paths to coordinated models, thus reducing duplication, clarifying roles and creating more strategic value for institutions under pressure.
We're here to help
Baker Tilly's higher education risk advisory team can help guide your institution on its strategic alignment journey. For more information, or to learn more about our internal audit, compliance and risk services, connect with our team.
