Loading...
Article | Higher Education Series, Part I
Nov. 14, 2025 · Authored by Adrienne Larmett
Higher education is experiencing profound change. Risk oversight functions, internal audit, compliance and enterprise risk management (ERM or risk) must become change agents. Institutions face mounting pressure to cut costs, demonstrate value, modernize outdated operations, navigate complex regulatory expectations and rebuild trust with a public that is increasingly skeptical of their purpose and performance. Traditional oversight models were designed for stability, not transformation. But higher education's current challenges require adaptability, integration and foresight; these are qualities that internal audit, compliance and risk functions are uniquely positioned to deliver, if they are empowered to evolve.
In this moment, the functions often seen as risk and compliance guardians have a unique and urgent opportunity. It is no longer enough to report on problems after the fact. These functions must become proactive, strategic contributors, enabling change, protecting institutional resilience and guiding transformation with confidence. By engaging earlier and more strategically, these functions can help identify where systems, policies or processes need to evolve, spotlighting opportunities for improvement and aligning them with institutional culture, governance traditions and operational realities. This ensures change is not just complaint, but also practical and sustainable.
This article kicks of a six-part series, Rethinking internal audit, compliance and risk in higher education: A road map for strategic alignment, efficiency and a holistic viewpoint. The series explores how risk oversight functions can shift from transactional to transformational, helping institutions align operations with strategy, build resilience and lead with integrity. The ultimate objective: to enable meaningful change while strengthening confidence in the institution's ability to govern itself well.
Through this series we will cover:
Each article aims to challenge assumptions, provide clarity and offer practical, actionable guidance to those responsible for risk oversight in higher education.
Higher education's traditions of decentralization, shared governance and consensus-building reflect deeply held values. But in today's volatile environment, these legacy anchors can slow responsiveness and blur accountability. What once ensured stability now requires adaptation. Because internal audit, compliance and risk functions sit across organizational lines, they have a panoramic view of where governance works and where it constrains progress. When leveraged strategically, they can illuminate where structures, decision rights and processes must evolve to meet modern demands, while still respecting institutional culture and values.
Internal audit, compliance and risk leaders are often caught between their traditional mandates and the growing expectation to deliver more strategic value. When viewed only as compliance monitors or policy enforcers, their influence is limited. But when these roles are embedded in institution-level strategic planning, transformation initiatives and institutional governance, they become critical levers for sustainable change. Internal audit, for instance, can highlight where operational redesign, digital transformation or policy streamlining could align the institution more closely with industry best practices, all while honoring its distinctive mission and governance model.
To remain relevant and effective, these functions must shed outdated perceptions and realign with institutional needs. They must help navigate uncertainty, not just report on it. This means translating risks into actionable insights, showing not just where these risks exist, but how the organization can address them with integrity and foresight.
Historically, internal audit and compliance have focused on control testing, policy adherence and after-the-fact reporting, while risk has been more focused on insurable activities. While these activities are essential, they are often disconnected from the larger questions shaping institutional success:
While internal functions remain siloed and reactive, they risk irrelevance, contributing findings but not foresight; reports but not solutions.
To respond to today's demands, these teams must shift from checking and validating, to challenging and guiding, from isolated reviews to integrated insights and from passive monitors to active facilitators of change.
The need to rethink oversight isn't theoretical, it's operationally urgent. The forces reshaping higher education require risk oversight functions that can do mor than monitor; they must help architect the pathways forward.
The shift is more than a mindset; it is a mandate. Institutions are navigating:
These pressures demand a response not just from leadership, but from those tasked with understanding risk, control and institutional integrity. Internal audit, compliance and risk functions must be invited into strategic planning and conversations early, not brought in at the end. Oversight must be baked into strategic change, not bolted on afterward.
When embedded early and aligned with institutional goals, these functions:
They also help institutions show their work, demonstrating thoughtful governance, responsible stewardship and a culture of continuous improvement. In doing so, internal audit, compliance and risk become both mirror and map, reflecting where the institution stands today, and charting where it can responsibility go next.
Strategic alignment is not an efficiency play; it's a trust-building exercise. When oversight functions are clearly integrated into institutional strategy, stakeholders can see that the institution isn't merely complying with rules, it's governing with purpose. Trust is higher education's most valuable, and most fragile, currency. Headlines about leadership missteps, compliance failures and poor student outcomes have damaged public confidence. And while some of the narrative may be unfair or oversimplified, perception matters.
This is why strategic alignment of risk oversight functions is so powerful. When internal audit, compliance and risk are coordinated and clearly tied to mission and strategy, not just monitoring rules, it signals to stakeholders that the institution takes governance, ethics and accountability seriously.
Strategic alignment does the following:
In short, alignment is not just operationally effective, it is reputationally essential.
The benefits of this reimagined model are not theoretical. When internal audit, compliance and risk are embedded as strategic allies, they actively help institutions evolve. On campuses where Baker Tilly serves as the internal audit function, we have embraced and embedded, strategic role, especially in moment of transformation. Two recently examples stand out:
As institutions modernize enterprise systems, internal audit has joined ERP implementation teams to:
This proactive involvement improves internal control posture, reduce the risk of costly redesigns and shows leadership that governance is integrated, not imposed.
Another institution recently consolidated enrollment-related offices into a single unit: admissions, financial aid, student accounts and the registrar. While this supports student experience and cost savings, it raised control risks, particularly around financial aid packaging and collections.
Internal audit, working alongside compliance, assessed risks and helped design a structure that:
This integrated approach helped the institution pursue efficiency while protecting compliance and trust.
This shift is not just about changing structures; it's about redefining how oversight contributes to transformation. For risk oversight functions to operate as change agents, a mindset shift is needed across three dimensions:
Uphold compliance, but through a collaborative, forward-looking lens
Focus on institutional priorities, not just internal audit cycles or regulatory deadlines
Maintain objectivity but develop the relationships and language needed to shape decision-making
This evolution does not dilute independence or rigor; it amplifies relevance and impact.
When internal audit, compliance and risk leaders are brought in at the design stage, they can help shape initiatives in ways that minimize risk, maximize efficiency and enhance stakeholder confidence, avoiding costly rework later. To move forward, internal audit, compliance and risk leaders must advocate for their inclusion in strategic conversations, ideally at the outset, not after decisions have been made that requires:
These shifts take time, and they require mutual trust. But institutions that invest in this realignment will be better positioned to adapt, compete and lead.
Higher education does not need more oversight for oversight's sake. It needs integrated, strategic and future-oriented risk oversight functions, functions that help institutions navigate complexity, accelerate transformation and reinforce the credibility they need to thrive. By reimagining these functions as strategic partners, not just compliance checks, institutions can better identify where and how to evolve, align with industry best practices and drive change that fits their unique culture, governance structure and capabilities.
By reimagining the role of internal audit, compliance and risk not as passive reviewers but as active contributors, colleges and universities can build more resilient operations and a stronger case for their continued value. This approach does more than strengthen controls, it positions institutions to lead with confidence, demonstrate responsible stewardship and rebuild the public trust that higher education depends on.
In the next article we will explore the foundational question of whom risk oversight functions serve and why answering that question clearly is essential to aligning their work with institutional priorities.
We're here to help. For more information, or to learn more about how Baker Tilly's higher education risk advisory team can guide your institution, connect with us.
Explore the value of internal audit for your higher education institution with Baker Tilly insights, case studies and other resources.
Baker Tilly’s proactive assurance FAQ highlights key benefits and leading practices to ensure your organization addresses risks before they become critical issues.
Boards and audit committees can enhance oversight with a more strategic internal audit function that can create and protect value.
Through proactive assurance, internal audit can add immediate and tangible value to an organization.
