Audit objectives are developed during the planning stage of an engagement and directly align with the business objectives of the area or process under review. Most engagements focus on ensuring controls are in place to effectively mitigate the risks that could prevent the area or process from accomplishing its business objectives. Auditors also ensure that engagement objectives are consistent with the organization’s objectives in regards to:
Although every audit is unique, the audit process usually consists of four stages: Planning, Field work, Reporting and (for some audits) Follow-up. Engagement of the client, or the area being audited, is critical at every stage of the audit process. An audit often results in a certain amount of time being diverted from your department’s usual routine. It’s helpful for a client to treat an audit like any other special project and allocate time for you and your staff to participate in the audit process. This minimizes the time necessary for the audit and avoids disrupting ongoing...
University audits are selected through our Institutional Risk Management process which includes discussion with schools, departments and University management to identify and prioritize operational, financial and compliance risks to the University. A review of industry reports, discussion among peer groups and an understanding of emerging risks or trends informs audit planning and the identification of specific audit projects for the year are chosen based on these assessed risk factors. Additionally, groups or individuals can request audit assistance on a case by case basis. The final...
An Information Technology audit is the examination and evaluation of an organization's information technology infrastructure, applications, data use and management, policies, procedures and operational processes against recognized standards or established policies. Audits evaluate if the controls to protect information technology assets ensure integrity and are aligned with organizational goals and objectives.
In the case of an event involving Confidential Information, which is information classified or treated as data under Levels 2 – 5 of the Harvard Data Classification table, report the event immediately following these steps:
A variety of support tools are available for learning about and implementing information security policies. To learn more about these tools, please see https://security.harvard.edu/resources.
An integrated audit considers the relationship between information technology, financial and operational controls in establishing an effective and efficient internal control environment. Even though issues may not be identified in financial and operational controls, issues identified in information technology may negate the effectiveness of the financial and operational controls and visa-versa. Therefore, an integrated audit evaluates the interplay between...
The Information Technology (IT) audit group is a unit within Risk Management and Audit Services (RMAS) that focuses on the University's technology environment and supporting operational processes to assure information technology assets are reliable, available, protected and compliant with University policies and procedures, as well as applicable laws and regulations. We emphasize the importance of identifying and mitigating risks associated with the use of data, applications, infrastructure,...