University audits are selected through a risk assessment process. RMAS communicates with schools, departments and University management to identify and prioritize operational, financial and compliance risks to the University. The specific audit projects for the year are chosen based on these assessed risk factors. The final plan is also evaluated to ensure adequate representation of schools, departments and affiliates.
We administratively report to the Vice President for Finance and CFO, and we receive operating authority from, and are responsible to, the Joint Committee on Inspection. We meet with the Joint Committee on Inspection at least four times per year and provide an annual report on our work and the existing financial, operational, compliance and reputational risks of the University.
RMAS adheres to the International Standards for the Professional Practice of Internal Auditing, which require an external assessment once every five years by a qualified, independent review team. We were reviewed in the summer of 2006. The review team consisted of executives from Raytheon, Duke University, Indiana University and Northwestern University. The review team was assisted by PricewaterhouseCoopers.
You may contact the audit department if you feel you are a good candidate for an audit. Depending on the urgency of the request and our availability, we might be able to schedule you for an audit in the current year. More likely, your request will be put on a list of potential audits for the following fiscal year. When we create our annual audit plan at the beginning of the following fiscal year, we will consider your group along with other groups who requested audits or who were identified as high risk.
Your report is issued to those on the distribution list and its content is held in confidence within RMAS. The distribution of reports to others that may request a copy must be approved by the RMAS Director. This restriction prevents an indiscriminate broadcasting of reported information to people without a need to know.
In general, an audit report is issued to those in a position to see that corrective actions are taken and those with a need to know. Generally, this includes the department/function management team, Finance Dean, RMAS Director, Vice President of Finance and the PricewaterhouseCoopers Partner on the Harvard account. The report may also be distributed to those individuals who have significant responsibility for the audit area e.g. Office of Sponsored Research for award management audits.
The objectives of an audit report are to tell what was found, convince management of the work and validity of the findings and move management toward change and improvement. To accomplish these objectives, audit findings that strengthen the control environment and require management action are given the most attention. However, the report must also be objective and offer an unbiased view of the control environment.
The time required for the audit will vary depending on the size, complexity and strength of the organization's internal controls. For each audit, there will be an individual within your organization who will act as our main contact for the duration of the audit. The main contact will be responsible for meeting with us to help determine the scope of the audit, gathering requested documentation, discuss our audit findings and helping develop “agreed-to actions” , reviewing and approving the final audit report.
Audits are typically scheduled for three months from beginning to end, which includes four weeks of planning, four weeks of fieldwork and four weeks of compiling the audit report. The auditors are generally working on multiple projects in addition to your audit. The auditors' time will be divided among all of their projects, with some weeks heavily focused on your audit and other weeks less focused on your audit.