Carnegie Mellon University

Frequently Asked Questions

Internal Audit conducts an annual risk assessment, which includes identifying the audit universe (i.e., auditable entities, which takes into consideration financial, operational, and compliance risks to the university). Based on the risk assessment and other risk factors (e.g., use of technology, prior audit observations), the annual audit plan is developed, vetted with university leadership, and submitted for approval by the Audit Committee of the Board of Trustees. See Annual Audit Plan for more information.

Having documented policies and procedures will help ensure consistency across your operation and improve adherence to this university’s policies within your operation. Additionally, departments should always:

  • Review and approve transactions before they are processed
  • Reconcile accounts
  • Monitor actual activities against amounts budgeted and having a firm grasp on variances
  • Ensure assets are adequately safeguarded
  • Prepare documents on a timely basis within the prescribed deadlines/timeframes
  • File and retain documents in an organized fashion consistent with the department’s or the organizations record retention policies
  • Segregate duties within a function such that no one person performs all the procedures from beginning to end within that business process

Copies of audit reports are only shared with relevant members of management and distribution is limited. The university’s external accounting firm is also updated with the results of audits throughout the year. 

Any office or department at the university may request Internal Audit services or reach out to Internal Audit for assistance. Depending on the priorities, we may or may not be able to immediately accommodate your request, but will discuss your needs and expectations, and offer initial thoughts for your consideration.

Management should feel free to contact the Executive Director, UAS, with any audit requests or related concerns.

If you suspect a possible irregularity or have observed possible wrongdoing, you should report all concerns to your supervisor. In instances where you are uncomfortable with this approach or unable to report your concern to your supervisor, you may report concerns directly to

If you wish to remain anonymous, or if all avenues have been exhausted and a sufficient response has not been received, visit the Carnegie Mellon Ethics Hotline webpage to learn how to confidentially report suspected unethical activity relating to financial matters. 

IA will work with management to obtain periodic updates on action plans and observation remediation. Management should indicate during these updates when they are comfortable the item has been remediated and the action plan implemented. IA will then work with management to determine appropriate timing for validation testing to verify controls operate effectively.

Management responses should include a defined action plan to correct deficiencies, outlining both the responsible individual(s) and an expected date of completion. Estimated timelines for completion should provide a reasonable estimate for the remediation efforts to be completed and allow for timely corrective action. It is recommended that action plan timelines do no exceed 18 months.