Financial, Operational, and Compliance Audit

How are audits selected?

University audits are selected through our Institutional Risk Management process which includes discussion with schools, departments and University management to identify and prioritize operational, financial and compliance risks to the University. A review of industry reports, discussion among peer groups and an understanding of emerging risks or trends informs audit planning and the identification of specific audit projects for the year are chosen based on these assessed risk factors. Additionally, groups or individuals can request audit assistance on a case by case basis. The final...

Read more about How are audits selected?

Who does RMAS report to?

We administratively report to the Vice President for Finance and CFO, and we receive operating authority from, and are responsible to, the Joint Committee on Inspection. We meet with the Joint Committee on Inspection at least four times per year and provide an annual report on our work and the existing financial, operational, compliance and reputational risks of the University.

Who audits RMAS?

 

RMAS adheres to the International Standards for the Professional Practice of Internal Auditing (Standards) which requires an external assessment by a qualified, independent review team. The objective is to evaluate our conformance with the Standards and to measure ourselves against internal policies and procedures, stakeholder expectations, and industry best practices.

An assessment was undertaken in 2014 and plans are underway for an assessment in 2019. The results of each assessment are provided to senior leadership and to Harvard’s audit oversight...

Read more about Who audits RMAS?

May I request an audit?

You may contact the audit department if you feel you are a good candidate for an audit. Depending on the urgency of the request and our availability, we might be able to schedule you for an audit in the current year. More likely, your request will be put on a list of potential audits for the following fiscal year. When we create our annual audit plan at the beginning of the following fiscal year, we will consider your group along with other groups who requested audits or who were identified as high risk.

How confidential is my report?

Your report is issued to those on the distribution list and its content is held in confidence within RMAS. The distribution of reports to others that may request a copy must be approved by the RMAS Director. This restriction prevents an indiscriminate broadcasting of reported information to people without a need to know.

Who gets copies of audit reports?

In general, an audit report is issued to those in a position to see that corrective actions are taken and those with a need to know. Generally, this includes the department/function management team, Finance Dean, RMAS Director, Vice President of Finance and the PricewaterhouseCoopers Partner on the Harvard account. The report may also be distributed to those individuals who have significant responsibility for the audit area e.g. Office of Sponsored Research for award management audits.

Why aren't good practices sited in an audit report?

The objectives of an audit report are to tell what was found, convince management of the work and validity of the findings and move management toward change and improvement. To accomplish these objectives, audit findings that strengthen the control environment and require management action are given the most attention. However, the report must also be objective and offer an unbiased view of the control environment. This is accomplished in the summary section of the report where an overall assessment of the internal controls is provided, e.g., good, adequate, needs improvement or inadequate...

Read more about Why aren't good practices sited in an audit report?

How much of my time will the audit require?

The time required for the audit will vary depending on the size, complexity and strength of the organization's internal controls. For each audit, there will be an individual within your organization who will act as our main contact for the duration of the audit. The main contact will be responsible for meeting with us to help determine the scope of the audit, gathering requested documentation, discuss our audit findings and helping develop “agreed-to actions” , reviewing and approving the final audit report. We will also need to meet with other key personnel during planning and fieldwork...

Read more about How much of my time will the audit require?

How long will my audit take?

Audits are typically scheduled for three months from beginning to end, which includes four weeks of planning, four weeks of fieldwork and four weeks of compiling the audit report. The auditors are generally working on multiple projects in addition to your audit. The auditors' time will be divided among all of their projects, with some weeks heavily focused on your audit and other weeks less focused on your audit.

What should I expect during an audit?

There are four distinct phases to an audit at the University and an understanding of these phases will help you to understand the process:

Planning

  • An announcement letter is sent to the department/unit informing them of the audit project. This letter will provide details on the timeframe and the name of the managing auditor and auditing team assigned to the project.
  • The managing auditor will interview key personnel in the department to learn more about the operations.
  • The Scope Document is prepared and presented to management as a contract for the work...
Read more about What should I expect during an audit?

Pages