How Virginia Tech Gains Comprehensive Visibility With Integrated Risk Management

In our Spotlight on Success series, Justin Noble, Director of Internal Audit at Virginia Tech, shares how his audit team leverages technology to align activities across audit, compliance, and ERM. As a leading research institution and the Virginia Commonwealth’s most comprehensive university, Virginia Tech serves more than 37,000 undergraduate, graduate, and professional students and manages a research portfolio of more than $556 million.

Hear how this team reduced silos, gained cross-team visibility, and is implementing an integrated risk management approach by switching from a previous GRC tool to AuditBoard’s connected risk platform, including:

• Leveraging AuditBoard’s OpsAudit, CrossComply, and RiskOversight solutions together to coordinate audit, compliance, and ERM work to surface emerging risks.
• Streamlining communication across the three lines, regulators, and external auditors by centralizing information in a single source of truth. 
• Providing management with insights that support risk-informed decision-making.

Tell us a little about Virginia Tech, and some of the challenges you faced with your previous audit management tool. 

“Virginia Tech is a comprehensive public research institute within the Commonwealth of Virginia. It’s a very large entity, and a top 50 research enterprise within the United States. 

We do a comprehensive risk-based audit plan — any way you can slice and dice Virginia Tech, we’re looking at those processes and procedures. We also do all of the investigations out of my office, as well as policy compliance reviews where we look at basic compliance activities across the university and make sure that we are meeting our compliance obligations.”

“Prior to making the decision to go with AuditBoard, some of the challenges we had with our previous software were that we were in a very inflexible environment. We went through the pandemic like everyone else. We were trying to connect remotely and get VPNs to stay stable, and it just wasn’t working. Connectivity and cross-platform availability were a big challenge. We also realized that we were working in silos. All of our audit work was in our previous tool, all of our compliance work was in SharePoint, and all of our ERM work was done via a different tool. We didn’t have any visibility into the things that we are charged with doing.”

What was your experience like during the software selection process? 

“When we looked at the competitors, everybody was doing one thing well, but nobody was doing all the things well. Versus AuditBoard, which really was trying its best to do all the things well, and do it in a way that made sense, that was simple, and that was clean. That’s what stood out.”

“The AuditBoard team answered a million questions. They were very prompt and very thorough — a very engaging team. That’s key because you want a partner that understands that you’re unique. Sometimes you’re dealing with government requirements that are inflexible, and the team was very responsive to that.”

Tell us about your vision for leveraging AuditBoard’s platform to pursue an integrated risk management approach and drive risk-informed decision-making. 

“The use case that we put together was based on the concept of integrated risk management. We knew that we were asking a lot. AuditBoard was going to be more expensive than our current tool so we had to make the case for why this investment was worth it. For us, it was all about how we were going to align with the second line of defense, with audit as the third line. How that visibility and how integrating the information would be helpful to us. We gave concrete examples about ‘This is sometimes what we’re asked to do. Here’s what the regulators will ask. Here’s what the external auditors will ask. We don’t really have an easy way to provide that information.'” 

“We see great potential and opportunity to map those together. When we’re doing our audit work and when we’re doing the compliance work — AuditBoard is automatically tying all that together for us. We’re not going to have to do the legwork to provide that information. We want to be able to provide management insight. We want to be able to say, ‘Hey management, our compliance work has found the following issues over the last six months. Our audit work has validated similar issues in six different areas. We believe there is an institutional risk that is elevating itself, and we need to make sure we’re getting ahead of it.’ We think that insight is going to be a driver for a better outcome from using AuditBoard.”