Carnegie Mellon University

The Internal Audit team consists of internal auditors, who are employees of the university. We report directly to the Audit Committee of the Board of Trustees and work closely with university management to ensure our work is aligned with university initiatives and prioritized based on the areas of largest risk and exposure.

"External auditor" most frequently refers to the independent accounting firm hired to provide an independent opinion on the institution's financial statements. PricewaterhouseCoopers LLC performs these services for the university annually at the direction of the Audit Committee of the Board of Trustees. Other external auditors could include governmental auditors, such as the Defense Contract Audit Agency (DCAA), or other regulatory auditors, who may focus primarily on compliance with federal regulations and award terms.

Internal Audit conducts an annual risk assessment, which includes identifying the audit universe (i.e., auditable entities, which takes into consideration financial, operational, and compliance risks to the university). Based on the risk assessment and other risk factors (e.g., use of technology, prior audit observations), the annual audit plan is developed, vetted with university leadership, and submitted for approval by the Audit Committee of the Board of Trustees. See Annual Audit Plan for more information.

Having documented policies and procedures will help ensure consistency across your operation and improve adherence to this university’s policies within your operation. Additionally, departments should always:

  • Review and approve transactions before they are processed
  • Reconcile accounts
  • Monitor actual activities against amounts budgeted and having a firm grasp on variances
  • Ensure assets are adequately safeguarded
  • Prepare documents on a timely basis within the prescribed deadlines/timeframes
  • File and retain documents in an organized fashion consistent with the department’s or the organizations record retention policies
  • Segregate duties within a function such that no one person performs all the procedures from beginning to end within that business process

The Executive Director, University Audit Services, functionally reports to the Chair of the Audit Committee of the Board of Trustees and administratively to the Vice President for Finance and Chief Financial Officer.

Per the university’s Responsibilities for Managing University Financial Assets policy:

The Internal Audit department exists to assist university officials and the Board of Trustees in the effective discharge of their responsibilities. Internal Audit is responsible for examining and evaluating the adequacy and effectiveness of (1) the systems of internal control and their related accounting, financial and operational policies and (2) procedures for financial and compliance monitoring and reporting. The (executive) director of internal audit has authority to present reports directly to the president of the university and has independent access to the Board of Trustees' Audit Committee. Internal Audit has direct access to all university books and records.

Copies of audit reports are only shared with relevant members of management and distribution is limited. The university’s external accounting firm is also updated with the results of audits throughout the year. 

Any office or department at the university may request Internal Audit services or reach out to Internal Audit for assistance. Depending on the priorities, we may or may not be able to immediately accommodate your request, but will discuss your needs and expectations, and offer initial thoughts for your consideration.

Management should feel free to contact the Executive Director, UAS, with any audit requests or related concerns at 412.268.1978 or

If you suspect a possible irregularity or have observed possible wrongdoing, you should report all concerns to your supervisor. In instances where you are uncomfortable with this approach or unable to report your concern to your supervisor, you may report concerns directly to the Executive Director of University Audit Services.

If you wish to remain anonymous, or if all avenues have been exhausted and a sufficient response has not been received, visit the Carnegie Mellon Ethics Hotline webpage to learn how to confidentially report suspected unethical activity relating to financial matters. 

IA will work with management to obtain periodic updates on action plans and observation remediation. Management should indicate during these updates when they are comfortable the item has been remediated and the action plan implemented. IA will then work with management to determine appropriate timing for validation testing to verify controls operate effectively.

Management responses should include a defined action plan to correct deficiencies, outlining both the responsible individual(s) and an expected date of completion. Estimated timelines for completion should provide a reasonable estimate for the remediation efforts to be completed and allow for timely corrective action. It is recommended that action plan timelines do no exceed 18 months.