Carnegie Mellon University

Internal Audit Types

IA’s scope of work is comprehensive and considers all aspects of the organization, both financial and non-financial, with an emphasis on constructive improvement.

In addition to these types of reviews, IA also performs advisory services at the university. In this role, IA can assist management with identifying enterprise-wide cost efficiencies, provide insights that improve business performance, and recommend areas for risk focus and prioritization.  IA uses its comprehensive knowledge of university operations and provides additional resources and analysis as a decision-making tool for management.

Financial/Controls Audits

Address questions of accounting, recording, and reporting of financial transactions, as well as reviewing the adequacy of internal controls.

Compliance Audits

Determine if departments adhere to federal, state, and university rules, regulations, policies, and procedures.

Operational Audits

Examine the use of department/university resources to evaluate whether those resources are utilized in the most efficient and effective way to fulfill the department's/university's mission and objectives. An operational audit may include elements of a compliance audit, a financial audit, and an information systems audit.

Construction Audits

Focus on major capital projects at the university to ensure key processes and controls in place to manage these activities are operating effectively throughout the life of the project. As part of the Construction Audits, the IA team validates compliance with the contract terms, including detailed reviews of the contractor’s invoicing activity.

Integrated Audits

Combine a financial/controls audit of an area with an information technology assessment of the systems and infrastructure that support the unit. An integrated audit can assess the effectiveness of the coordination between the information systems and the business activities to support defined goals and objectives.

Information Systems (IS) Audits

Address the internal control environment of automated information processing systems and how these systems are used. IS Audits typically evaluate system input, output and processing controls, backup and recovery plans, and system security, as well as computer facility reviews. IS audits may focus on not only assessing existing systems, but performing real-time system assessments on system upgrades or implementations.

Special Investigations

Performed when appropriate. These audit activities focus on alleged violations of federal and state laws and of university policies and regulations. Internal theft, misuse of university assets, hotline allegations, and conflicts of interest are examples of investigative audits.

Follow-up Audits and Validation Testing

IA maintains a database of all observations and recommendations generated from its audits. After a reasonable period, IA requests a status report from the audit client regarding corrective actions taken to date. IA evaluates the effectiveness of these corrective actions and performs follow-up and validation testing procedures to determine if revised processes and controls are operating effectively.

The timing and the extent of follow-up testing varies based on the audit. In situations where the corrective actions may not be sufficient, IA may advise alternative actions to achieve the desired improvements. In larger and more complex audit situations, this step may be repeated several times as additional changes are initiated. IA provides information pertaining to the status of open audit issues to the Audit Committee of the Board of Trustees.