Carnegie Mellon University

Review Areas

Areas are selected for internal audit based upon an assessment of risk at the institutional level. A ‘risk’ is defined as any event or action that adversely impacts the university’s ability to achieve its objectives. Risks can impact organizations in different ways on varying scales of magnitude and likelihood. Areas with a high degree of risk, likelihood, or impact are often subject to more frequent audit.

Some audits are required by governmental agencies or other outside entities, such as the university’s external auditors, and may be performed annually. Other audits are discretionary and involve departmental, operational, or process reviews. These reviews are scheduled in consultation with management.

Internal audits are prioritized based on:

  • Assessment of the risk
  • Financial impact or significance
  • Management referrals - feedback from deans, senior administration, Administrative Leadership Group (ALG) members, directors, or department heads (audit requests are solicited continually)
  • Significant organizational policy or procedural changes
  • Changes in leadership or in direction of the function
  • Emerging issues or changes to compliance requirements
  • Information system implementation or modification
  • Changes in funding agency policies