Skip to main content

Frequently Asked Questions about Internal Audit

If you would like to ask the auditor a question, please submit your question and your contact information here:

How do you decide who to audit?

The Director of Internal Audit prepares the annual audit plan for CMU in consultation with the Board Audit Committee, senior leadership, administrative officers of the university, and the external auditor. The audit plan establishes topics and general scope of audit coverage using a risk assessment approach.

If we are selected for an audit, what next?

First, do not panic!  An audit does not mean you are suspected of doing something wrong. It is an opportunity to validate the effectiveness of your processes and controls.  Since managers are held responsible for compliance, an audit will help to identify aspects of your systems that could benefit from improved controls and prepare you for any potential external examination or audit. 

 A successful audit involves a collaborative working relationship between the auditee and Internal Audit. Our objective is to involve you at each stage of the audit so you understand what is being done and why. It is our hope that as you actively engage in the process you will gain much advantage from the audit.

There is no standard amount of time for an audit.  We will provide a tentative timeline at the beginning of your project.  You can help meet the timeline by ensuring our audit team has prompt access to the people and documentation we need to complete the review.   We make every effort to limit disruptions to your ongoing activities. 

See below for an overview of our audit process.

What are the stages of the audit process?

  • Planning includes an audit announcement and defining the scope of your audit.
  • Fieldwork may include a questionnaire, interviews with staff, evaluation of processes, procedures and documentation to identify issues and concerns.
  • Draft report includes an opportunity for management input.
  • Action plan is written by management to address any findings prior to the finalized audit report.
  • Audit report is issued and cc'd to senior leadership and the Board of Trustees.
  • Follow-up audits as needed for findings.

How can Internal Audit assist our department?

Internal Audit helps to:

  • Offer observations and recommendations to help make your department more efficient and effective.
  • Administer an evaluation of your department’s financial and operational procedures for effective internal controls.
  • Evaluate the security, integrity and reliability of the systems, processes and controls used to manage university data.
  • Assist you in assessing compliance with university policies and external regulations.
  • Facilitate internal control training and assessment.
  • Provide a review of a grant for compliance with sponsor requirements.
  • Perform special projects.
  • Act as a liaison between departments.
  • Assist you in assessing compliance with university policies and external regulations.

What is the difference between internal and external audits?

Internal audit staff are employees of the university and seek to assist management to evaluate efficient use of resources, manage risks within university operations and evaluate internal controls to safeguard assets.  Internal audit staff serve as a liaison with external auditors.

External audit staff are not employees of the university, they test the underlying transactions and records that form the basis of the financial statements, thereby providing public credibility and transparency.  The university's financial statement audit is performed by  Plante Moran

Professional organizations that we are members of:

ACUA is an international professional organization dedicated to the practice of internal auditing in higher education. This site includes membership information and links to other audit departments’ web pages. A document library with audit programs and other documents is also available to members.

This site includes information provided through the Institute of Internal Auditors such as periodicals, events, and educational products.

ASUG is an independent, not-for-profit organization of SAP customer companies. ASUG is dedicated to the advancement, understanding, and productive use of SAP products.

ISACA's vision is to be the recognized global leader in IT governance, control and assurance. This site includes information such as membership, conferences, seminars, and research.

Does the Office of Internal Audit at CMU ever get audited?  If yes, by whom?

Yes, we follow the International Standards for the Professional Practice of Internal Auditing.  In order to fully comply with the Standards, we are required to undergo an external peer review called Quality Assurance Review, at least once every five years.  The Director of Internal Audit also completes an internal Quality Assurance Self Assessment Review annually to monitor our conformance with the Standards and to identify improvement opportunities.  

What are internal controls?

Internal controls are safeguards for university processes designed to provide reasonable assurances as to the achievement of objectives for:

  • Reliability and integrity of financial and non-financial information
  • Efficiency and effectiveness of processes and programs
  • Safeguarding of assets
  • Compliance with university governance, state governance, and federal law

See our  Internal Controls page for more details.

What is the Ethics Hotline and when should I use it?

If you see something that does not look right, do not keep it to yourself.  The first step is to talk to your supervisor, but if that becomes prohibitive, the CMU Ethics Hotline is available.  This is an accessible, confidential and anonymous way to report activities that may involve unethical or otherwise inappropriate behavior that may violate CMU policies. 

In addition to the Ethics Hotline, you also may continue to rely on existing internal mechanisms for reporting concerns.  The link above will take you to the Ethics Hotline as well as other CMU resources.

No retaliation will be taken or tolerated against any individual reporting or inquiring in good faith about potential ethical misconduct. 

Among the core values of CMU is integrity.  We have made an institutional commitment to adhere to the highest standards of integrity, ethics and principles in all we do. 

How long should records be kept?

Please refer to the new retention schedule to determine types of records and duration of retention on the CMU Record Retention Schedule.

How long should faculty grade books be kept?

Please refer to the  CMU Record Retention Schedule.