http://www.audit.cornell.edu/faq.

html Frequently Asked Questions

What Is Internal Audit?
Just what do auditors do? How do they select their "auditee"? Many units don't give audits a second thought until they are selected for review. Here is some general information about the internal audit function at Cornell.

Who are internal auditors? Why does Cornell have an internal audit function? Where does the audit function fit in the organization? What's the difference between e ternal and internal auditors? What if an e ternal auditor contacts you? How are units selected for audit? What are internal auditors loo!ing for? What if something isn't handled correctly? "s the #udit $ffice %art of the &ivision of 'inancial #ffairs? Can a de%artment re(uest an audit? How long does an audit ta!e? What if " don't have the time to deal with the auditors? What if it's a bad time for an audit because )choose one* a* we're short+staffed b* the finance director ,ust (uit c* it's budget season d* we're crawling with studentse* we're trying to close out the year. Who will receive my audit re%ort? &oes the .oard of /rustees see what is in the audit re%orts? Who audits the #udit $ffice? "f " call you with information about a %ossible irregularity0 will my identity be !e%t a secret?

Who are internal auditors?

#s defined by the "nstitute of "nternal #uditors )""#*0 ""nternal auditing is an inde%endent0 ob,ective assurance and consulting activity designed to add value and im%rove an organization's o%erations. "t hel%s an organization accom%lish its ob,ectives by bringing a systematic0 disci%lined a%%roach to evaluate and im%rove the effectiveness of ris! management0 control0 and governance %rocesses. "nternal #uditors' roles include monitoring0 assessing0 and analyzing organizational ris! and controls1 and reviewing and confirming information and com%liance with %olicies0 %rocedures0 and laws. Wor!ing in %artnershi% with management0 internal auditors %rovide the

board0 the audit committee0 and e ecutive management assurance that ris!s are mitigated and that the organization's cor%orate governance is strong and effective. #nd0 when there is room for im%rovement0 internal auditors ma!e recommendations for enhancing %rocesses0 %olicies0 and %rocedures."

Why does Cornell ha e an internal audit function?

/he 2niversity #udit $ffice e ists by charter and by+law to assist 2niversity management and the #udit Committee of the .oard of /rustees in effectively fulfilling their res%onsibilities. We are charged with e amining and evaluating the %olicies0 %rocedures0 and systems which are in %lace to ensure3 the reliability and integrity of information1 com%liance with %olicies0 %lans0 laws0 and regulations1 the safeguarding of assets1 and0 the economical and efficient use of resources. "n sim%ler words0 we're here to hel%.

Where does the audit function fit in the or!ani"ation?

/he 2niversity #uditor has a solid+line re%orting relationshi% to Cornell's 4resident and the #udit Committee of the .oard of /rustees. We're a small office with a big ,ob.

What#s the difference $etween e%ternal and internal auditors?

5 ternal auditors can be government auditors or inde%endent %ublic accounting firms that Cornell hires. 6overnment auditors focus %rimarily on com%liance with government regulations and award terms. 7ince both federal and state governments fund a significant %ortion of the university's activities0 they want to ma!e sure we use their money as they intended. "nde%endent %ublic accounting firms review the university's annual financial statements to ensure the information %resented accurately %ortrays Cornell's financial condition. 6overnment agencies0 Cornell's .oard of /rustees0 and bond rating agencies rely on the inde%endent auditor's o%inion of Cornell's financial statements. "nternal auditors sometimes loo! at the same data or %erform some of the same ste%s as e ternal auditors. "f there is a %roblem0 it's better to find it and fi it before e ternal auditors review our %ractices.

What if an e%ternal auditor contacts you?

#ll e ternal audits should be coordinated through the 2niversity #udit $ffice or 7%onsored 4rogram 7ervices. "f you or your unit is contacted by an e ternal auditor0 before sharing any information0 direct them to contact the 2niversity #udit $ffice or 7%onsored 4rogram 7ervices. We can sometime dissuade an audit or at least minimize the im%act on an o%eration. 8emember0 internal audit is on your side and can hel% you get through an e ternal audit.

&ow are units selected for audit?

5very two years0 the 2niversity #udit $ffice hel%s determine where Cornell ris!s failing in its mission due to internal %rocedural deficiencies. 'irst0 the university is bro!en down into areas of institutional concern0 such as 7%onsored 8esearch0 and auditable activities such as units0 de%artments0 cost centers0 subsidiaries0 information systems or %rocesses. 9e t0 relevant ris! factors such as control environment0 re%utation:legal im%act0 and o%erations im%act are weighted. "nstitutional concerns and auditable activities are then scored using these factors and the audit office decides which areas to audit based on these ris! ran!ings and the audit resources available.

What are internal auditors lookin! for?

4rimarily com%liance with university %olicies and sound internal controls. Cornell's %olicies are designed to hel% ensure we all com%ly with a%%licable laws and regulations and o%erate efficiently. .y following these %olicies we hel% %rotect the university from unnecessary ris!s and hel% ensure sound business %ractices are consistent throughout the university. 2niversity %olicies can be found here3 htt%3::www.%olicy.cornell.edu. However0 not all internal controls can be codified in %olicy. "f we find control wea!nesses0 we regularly ma!e recommendations to im%lement a control even though it may not be s%ecifically re(uired by %olicy.

What if somethin! isn#t handled correctly?

We will ma!e recommendations for im%rovement. /he recommendations are realistic because we want you to im%lement them. "t is the res%onsibility of management to weigh %ossible additional costs of im%lementing our recommendations in terms of benefits to be derived and the relative ris!s involved.

Is the Audit 'ffice part of the (i ision of Financial Affairs?

9o0 the #udit $ffice wor!s inde%endently of the &ivision of 'inancial #ffairs. $ur office has a solid+line re%orting relationshi% to Cornell's 4resident and the #udit Committee of the .oard of /rustees.

Can a department request an audit?

;es- We consider re(uests for audit wor!0 although our ability to %erform the audit might be affected by our staffing levels0 or year end deadlines. 7till0 if you are concerned about an area in your de%artment0 we will try to ma!e time for a limited e amination of the area. We're also available to do %resentations and training for your de%artment.

&ow lon! does an audit take?

We budget between <== and >== hours for a ty%ical audit0 de%ending on the size and com%le ity of the area. We normally have one auditor leading the audit0 and auditors will sometimes have more than one audit in %rocess at a time0 so an audit could ta!e from two months to si months to com%lete.

What if I don#t ha e the time to deal with the auditors? What if it#s a $ad time for an audit $ecause )choose one*: a* we#re short+staffed $* the finance director ,ust quit c* it#s $ud!et season d* we#re crawlin! with studentse* we#re tryin! to close out the year.
&uring the audit o%ening meeting0 we will discuss the audit schedule and try to accommodate time constraints that you may have. #lthough <== to >== hours loo!s li!e a lot of time0 much of our wor! is done behind the scenes. Many %eo%le o%erate under the erroneous belief that in doing an audit we will s%end lots of time with you and ta!e time away from your other obligations. We may need to meet !ey %ersonnel on the audit two or three times for maybe an hour at a time over the audit %eriod. We may s%end e(ual amounts of time0 and %erha%s less0 with others in the de%artment0 but we will not be mono%olizing anyone's time in the de%artment and much of our wor! such as audit %lanning and re%ort writing0 is done in our offices.

Who will recei e copies my audit report?

We send co%ies of audit re%orts to the de%artment administration0 the 4resident0 the ?ice 4resident for 'inance and C'$0 the Controller0 the e ternal auditors )4ricewaterhouseCoo%ers* and to others0 de%ending on the ty%e of audit. 8e%orts on academic units are sent to the 4rovost. "/ audit re%orts go to the ?ice 4resident for "nformation /echnologies. 8e%orts on irregularities are sent to 2niversity Counsel0 and may be sent to either the &ean of 'aculty0 ?ice 4resident for Human 8esources0 or the Judicial #dministrator de%ending on if they involve faculty0 staff0 or students.

(oes the .oard of /rustees see what is in the audit reports?

We %re%are an annual re%ort for the /rustees containing a dozen or so of the most significant findings or systematic issues from our audits for the year.

Who audits the Audit 'ffice?

5 cellent (uestion- #ctually0 we are audited every five years by other auditors under guidelines set forth by the #ssociation of College and 2niversity #uditors. /his "%eer review" %rocess draws u%on the standards and guidelines set forth by the "nstitute of "nternal #uditors in their International Standards for the Professional Practice of Internal Auditing. /he %eer reviewers ty%ically include auditors from other universities0 %ublic accounting firms0 or s%ecialists in an audit area and they issue a re%ort with findings and recommendations0 ,ust as we do when we audit university units.

If I call you with information a$out a possi$le irre!ularity0 will my identity $e kept a secret?
/his is a hard (uestion to answer without !nowing whether or not the s%ecific circumstance you are re%orting will end u% in legal action. #s a general rule0 we do not reveal our sources to the %erson being investigated. #nd we always try to corroborate any accusations with our

own observation. "f an irregularity is referred to the &istrict #ttorney for legal %rosecution0 and your testimony would be critical to the outcome of the case0 it may become necessary to involve you in the irregularity. "n addition0 the Cornell Hotline %rovides for anonymous re%ort of financial irregularities.

(efinition of Internal Audit

"nstitute of "nternal #uditors )""#* 7tandard effective January <==<. "nternal auditing is an inde%endent0 ob,ective assurance and consulting activity designed to add value and im%rove an organization's o%erations. "t hel%s an organization accom%lish its ob,ectives by bringing a systematic0 disci%lined a%%roach to evaluate and im%rove the effectiveness of ris! management0 control0 and governance %rocesses. /he audit %rocess is generally a ten+ste% %rocedure as outlined below. 4lease clic! through the ste%s in order to better understand the %rocess.

@. 9otification <. 4lanning A. $%ening Meeting B. 'ieldwor! C. Communication >. 8e%ort &rafting D. Management 8es%onse E. Closing Meeting F. 8e%ort &istribution @=. 'ollow+u%

1otification
'irst0 you will receive a letter to inform you of an u%coming audit. /he auditor will send you a %reliminary chec!list. /his is a list of documents )e.g. organization charts0 financial statements* that will hel% the auditor learn about your unit before %lanning the audit.

2lannin!
#fter reviewing the information0 the auditor will %lan the review0 conduct a ris! wor!sho% %rimarily to identify !ey ris!s and raise ris! awareness0 draft an audit %lan0 and schedule an o%ening meeting.

'penin! 3eetin!
/he o%ening meeting should include senior management and any administrative staff that may be involved in the audit. &uring this meeting0 the sco%e of the audit will be discussed. ;ou should feel free to as! the auditors to review areas that you are concerned about. /he time frame of the audit will be determined0 and you should discuss any %otential timing issues )e.g. vacations0 deadlines* that could im%act the audit. "t doesn't ta!e as much of your time as you might e %ect-

Fieldwork

#fter the o%ening meeting0 the auditor will finalize the audit %lan and begin fieldwor!. 'ieldwor! ty%ically consists of tal!ing with staff0 reviewing %rocedure manuals0 learning about your business %rocesses0 testing for com%liance with a%%licable university %olicies and %rocedures and laws and regulations0 and assessing the ade(uacy of internal controls. ;ou should ma!e your staff aware that the auditor will be scheduling meetings with them.

Communication
/hroughout the %rocess0 the auditor will !ee% you informed0 and you will have an o%%ortunity to discuss issues noted and the %ossible solutions.

4eport (raftin!
#fter the fieldwor! is com%leted0 the auditor will draft a re%ort. /he re%ort consists of several sections and includes3 the distribution list0 the follow+u% date0 a general overview of your unit0 the sco%e of the audit0 any ma,or audit concerns0 the overall conclusion0 and detailed commentary describing the findings and recommended solutions. ;ou should read the draft re%ort carefully to ma!e sure there are no errors. "f you find a mista!e0 inform the auditor right away so that it can be corrected before the final re%ort is issued.

3ana!ement 4esponse
$nce the re%ort is finalized0 we will re(uest your management res%onses. /he res%onse consists of A com%onents3 whether you agree or disagree with the %roblem0 your action %lan to correct the %roblem0 and the e %ected com%letion date.

Closin! 3eetin!
# closing meeting will be held so that everyone can discuss the audit re%ort and review your management res%onses. /his is an o%%ortunity to discuss how the audit went and any remaining issues.

4eport (istri$ution
/he re%ort is then distributed to you0 your manager)s*0 senior university administrators0 internal audit0 and the university's e ternal auditors. We also distribute an audit survey to the audited unit to solicit feedbac! about the audit. 'eedbac! is im%ortant to us0 since it can hel% us im%rove the audit %rocess.

Follow+5p
'ollow+u% reviews are %erformed on an issue+by+issue basis and ty%ically occur shortly after the e %ected com%letion date0 so that agreed+u%on corrective actions can be im%lemented. /he %ur%ose of the follow+u% is to verify that you have im%lemented the agreed+u%on corrective actions. /he auditor will interview staff0 %erform tests0 or review new %rocedures to %erform the verification. ;ou will then receive a letter from the auditor indicating whether you have satisfactorily corrected all %roblems or whether further actions are necessary. "f further corrective action is re(uired0 you will need to write a management res%onse. $therwise0 the issue will be re%orted as resolved.

2re alent Audit Concerns

"m%ro%er 7egregation of &uties 4rocurement Card 4olicy 9ot 'ollowed 'ailure to &ocument .usiness 4ur%ose 7u%ervisors 9ot #%%roving /ime Wor!ed 'ailure to 4erform 4eriodic 9etwor! ?ulnerability 7cans /erminated 5m%loyees 8etain #ccess to Com%uter 7ystems "nade(uate Cash Controls 5m%loyees 9ot 6iven #nnual 4erformance #%%raisals "nade(uate 8eview of /ransactions .efore #%%roval 2nlicensed 7oftware "s "nstalled $n &e%artment Com%uters 8egular "nventory of Ca%ital #ssets "s 9ot /a!en 4ro%er .idding 4rocedures #re 9ot 'ollowed 7haring of 9et"&'s and 4asswords Gac! of 7u%ervisor 8eview of /ravel Gac! of Certification and &ocumented 8eview of #ccrued Geave .alances

Improper 6e!re!ation of (uties

7egregation of duties is an internal control intended to %revent or decrease the occurrence of innocent errors or intentional fraud. /his is done by ensuring that no single individual has control over all %hases of a transaction. /here are four general categories of duties3 authorization0 custody0 record !ee%ing and reconciliation. "n an ideal system0 different em%loyees %erform each of these four ma,or functions. "n other words0 no one %erson has control of two or more of these res%onsibilities. /he more negotiable the asset0 the greater the need for %ro%er segregation of duties + es%ecially when dealing with cash0 negotiable chec!s and inventories. We often thin! of cash handling as the %lace where segregation of duties is most im%ortant0 because cash is a highly li(uid asset. /his means that it is easy to ta!e money and s%end it without leaving a trail of where it went. #ny de%artment that acce%ts funds0 has access to accounting records0 or has control over any ty%e of asset should be concerned with segregation of duties. 7ome e am%les of incom%atible duties are3

#uthorizing a transaction0 receiving and maintaining custody of the asset that resulted from the transaction. 8eceiving chec!s )%ayment on account* and a%%roving write+offs. &e%ositing cash and reconciling ban! statements. #%%roving time cards and having custody of %ay chec!s.

7e%aration of duties will only limit %roblems stemming from incom%atible duties. "t is %ossible0 though not li!ely0 that collusion will occur0 ma!ing control %rocedures ineffective. Management needs to be aware of relationshi%s )family and friends* and be alert to the %ossibility of collusion.

#lso0 in a small o%eration0 it is not always %ossible to have enough staff to %ro%erly segregate duties. "n those cases0 management may need to ta!e a more active role to achieve se%aration of duties0 by chec!ing the wor! done by others. 7ometimes0 the !nowledge that records will be chec!ed by others is enough to %revent misa%%ro%riation of assets.

2rocurement Card 2olicy 1ot Followed

/he university %olicy on %rocurement cards was established after much thought and review. /he re(uirements of the %olicy are not arbitrary0 but were established to !ee% Cornell in com%liance with regulations and to allow other Cornell systems of record!ee%ing and re%orting to wor! %ro%erly. 'or e am%le0 the %rocurement card %olicy %rohibits the %urchase of the services of inde%endent contractors. /his is because there is no way to trac! those %ayments and issue @=FF's )7tatements of Miscellaneous "ncome* at the end of the year0 as re(uired by 'ederal law.

Failure to (ocument .usiness 2urpose

Gac! of documented business %ur%ose of travel and other business e %enses is an audit concern that arises regularly. /he university receives0 from a variety of sources0 funds that carry with them fiduciary res%onsibilities. /hese res%onsibilities re(uire that funds only be used for ordinary0 reasonable0 and actual business+related e %enses incurred in furtherance of the university's missions. When university community members fail to %rovide su%%orting documentation evidencing business %ur%ose of e %enses0 as re(uired for internal and e ternal reviewers0 it can result in ina%%ro%riate charges going undetected. 5vidence of lac! of documented business %ur%ose or failure to detect ina%%ro%riate charges could lead to fines0 %enalties0 and a loss of the %ublic trust which could have a serious im%act on future funding.

6uper isors 1ot Appro in! /ime Worked

Cornell has online a%%roval for time wor!ed by hourly em%loyees. /he %erson who a%%roves an em%loyee's timecard should be the %erson familiar with the em%loyee's wor! and the hours the em%loyee wor!s0 most often the em%loyee's su%ervisor. "n those cases where it is not %ossible for the su%ervisor to a%%rove an em%loyee's time online0 the su%ervisor should document his or her a%%roval in writing. 7hould a (uestion come u% later about a timecard0 this gives an additional measure of certainty regarding the time recorded by the em%loyee0 as well as written evidence that the su%ervisor !new the em%loyee wor!ed those hours0 and was a%%roved to wor! those hours.

Failure to 2erform 2eriodic 1etwork 7ulnera$ility 6cans

We often find that units are not %erforming %eriodic networ! vulnerability scans on the wor!stations0 servers0 and %rinters they are res%onsible for. Most o%erating systems have vulnerabilities that e %ose them to attac!s. #n attac!er could e %loit these vulnerabilities and disru%t or damage systems and gain access to confidential information0 which could lead to fines %enalties and damage Cornell's re%utation. 8egularly

scanning wor!stations0 servers0 and %rinters for vulnerabilities and ta!ing ade(uate ste%s to understand and correct them0 hel%s to ensure that systems are %rotected from such attac!s.

/erminated 8mployees 4etain Access to Computer 6ystems

$ften we find that em%loyees who have left the university or who have transferred to another de%artment still have access to com%uter systems. 2nauthorized access to records is the biggest ris! here0 but the e istence of this condition highlights a larger issue0 the lac! of %rocedure ++ or the ineffectiveness of the e isting %rocedure ++ when em%loyees are hired or leave the de%artment. /o deal with the com%uter access %roblem0 de%artments could use a chec!list of access to com%uter systems to be given to new hires0 and use the same list to remove access when the em%loyee leaves. #n em%loyee may change %ositions within the de%artment0 re(uiring access to de%artmental systems that wasn't necessary at his or her initial hire date0 or new systems may be im%lemented. 'or this reason0 it is wise to %eriodically chec! who has access to your com%uter systems. &oes your de%artment have a %rocedure in %lace to do this?

Inadequate Cash Controls

Cash is a highly li(uid asset0 meaning that it can easily be misa%%ro%riated. 'or this reason0 it is im%ortant to have strong controls over cash o%erations. Cash should be %hysically secured with limited access to registers0 safes and cash bo es. &e%osits should be made timely0 before large amounts of cash accumulate. 4etty cash accounts should be reconciled regularly. 7ur%rise cash counts should be made in any o%eration handling large amounts of cash.

8mployees 1ot 9i en Annual 2erformance Appraisals

#nnual %erformance a%%raisals are a tool of communication between em%loyees and su%ervisors. /hey %rovide em%loyees with feedbac! on the ,ob they've been doing0 serve as an o%%ortunity for su%ervisors to ma!e clear their e %ectations of their em%loyees0 and allow em%loyee and su%ervisor to discuss strengths0 wea!nesses and goals for the coming year. Written %erformance a%%raisals %rovide a record of %rogress which may su%%ort later disci%linary or laudatory actions. #ll em%loyees are entitled to !now "how they're doing"0 and the written %erformance a%%raisal is a way to formally communicate this.

Inadequate 4e iew of /ransactions .efore Appro al

/he effectiveness of internal controls are limited to the e tent that decisions are made with ,udgment0 in the available time0 based on information on hand0 and under %ressure to conduct business. "nternal controls can brea! down when authorizers do not review the forms they must sign0 such as accounts %ayable vouchers0 reconciliations and time cards. "n audit office %resentations0 we li!e to state it this way3 "We are loo!ing for a signature0 not an autogra%h." 2nli!e an autogra%h0 a signature im%lies that a review too! %lace.

5nlicensed 6oftware is Installed on (epartment Computers

Having unlicensed software on your de%artment's com%uters e %oses the university to %ossible %enalties from software vendors0 as well as litigation costs and:or damage to the university's re%utation. &e%artments should have a software management system in %lace that trac!s software installed on university com%uters. #n additional benefit to having such a system is the ability to ta!e advantage of bul! %urchases or site licenses for widely+used a%%lications.

4e!ular In entory of Capital Assets is 1ot /aken

/he university Ca%ital #ssets 4olicy re(uires that %hysical inventory be ta!en every two years. 4hysical inventory involves locating the item0 ma!ing sure the written record of its location0 condition0 serial number0 etc. is correct0 and removing the item if it no longer e ists. 4hysical inventory gives management assurance that assets are still in the %lace of record0 that they haven't been moved0 dis%osed of0 or stolen0 and that they are still in wor!ing condition.

2roper .iddin! 2rocedures are 1ot Followed

/he university's bidding %rocedures were established to ensure that the university receives com%etitive %ricing on goods and services. "t also ensures that %urchases are not sub,ect to favoritism0 and can %rotect against fraud in the %urchasing %rocess. "n addition0 individuals who use 7tate and 'ederal funds to %urchase items may be re(uired0 as a condition of acce%ting those funds0 to bid out their %urchases.

6harin! of 1etI(#s and 2asswords

4assword sharing is described as %rohibited in several university %olicies including0 2niversity 4olicy 9o. B.@<0 Data Stewardship and Custodianship, 9o. C.B.@0 Security of IT Resources, 9o. C.C0 Stewardship and Custodianship of Electronic Mail, and 9o. C.E0 Authentication of Infor ation Technology Resources. 4asswords are used to identify system users and %rovide a trail of each user's activity1 therefore they must be !nown only to one user. "t is very im%ortant that 9et"& %asswords be !nown only to one user as 9et"&'s are used to identify the user to services which dis%lay confidential %ersonal data0 including %ersonal wage and benefits information. 7haring 9et"& %asswords can also cause a brea!down in %ro%er segregation of duties because 9et"&'s are used to identify users to services such as C$G/7 and the C2 $nline /ravel 7ystem where transactions are %rocessed that re(uire a se%arate %re%arer and a%%rover. 7haring 9et"&'s and %asswords can allow one user to be both %re%arer and a%%rover. "n some cases0 we have found that 9et"&'s and %asswords are shared so one user can access another user's email. /he need to access another user's email is not an a%%ro%riate reason to share 9et"&'s and %asswords. #lternative methods are available for accessing another user's email0 units should contact C"/ for more information.

:ack of 6uper isor 4e iew of /ra el

/he %ur%ose of 2niversity 4olicy 9o. A.<0 !ni"ersity Tra"el, is to ensure that travel charged to university accounts is for legitimate business %ur%oses. 'ailure to com%ly with this %olicy increases the ris! of loss due to errors and irregularities. 4olicy 9o. A.< states that "su%ervisors must review all travel." /his review must be %erformed by the traveler's

su%ervisor as they are li!ely to be in the best %osition to assess the legitimacy of the business %ur%ose for travel. 7u%ervisory review can ta!e many forms0 such as %re+transaction review or a %eriodic scan of transactions with detailed review of unusual or (uestionable items. &elegation of this res%onsibility should only be on a short term0 emergency basis.

:ack of Certification and (ocumented 4e iew of Accrued :ea e .alances

Certification and confirmation of accrued leave balances is essential to ensure accurate records are maintained. 8e(uiring em%loyees to regularly certify their leave balances and re(uiring the em%loyee's su%ervisor to review and a%%rove these certifications %rovides a strong control over the trac!ing of leave balances and reduces the %ossibility of errors or abuse of university leave benefits. Certification and su%ervisory review and a%%roval also reduce the li!elihood of dis%utes between the em%loyee and the university at the time of se%aration from the university.

#udit 4rocess 4revalent #udit Concerns 8is! #ssessment 4rocess

4isk Assessment 2rocess

&eciding where to audit /he degree of ris!... /he 8is! 'actors... #nother 7te%... /he assessment %rocess... .ased on these scores...

:ist of Audita$le units

)develo%ed from <==D 8is! #nalysis 4rocess*

"thaca Cam%us Weill Cornell Medical College Cam%us

(ecidin! where to audit at Cornell 2niversity is a %rocess we re+e amine %eriodically. 6iven the size of the 2niversity with its numerous individual o%erating units and our relatively small auditing staff0 it is im%ortant that we allocate our available time to the areas with high ris! e %osures. /his %lanning %rocess also allows us to coordinate with e ternal auditors to be sure that im%ortant areas are not overloo!ed0 and that total audit costs for the organization are minimized. /he de!ree of risk associated with a given unit is often defined in financial terms. We ta!e financial e %osures into consideration0 and consider any activities affecting the delivery of services to students0 em%loyees0 alumni and s%onsors0 or are regulated by legislation0 as e %osures.

8is! + the uncertainty of an event occurring that could have an im%act on the achievement of ob,ectives. /he 4isk Factors that enter into the ris! assessment and %riority of audits include3 4isk /ype (efinition Compliance Gabor Gaw "ssues0 H"4##0 7%onsoring agencies0 em%loyment. Financial .udgets0 financing0 cash flow0 sources and uses of funds0 re%orting $utside demands and restrictions0 such as grants0 data retention0 data :e!al %reservation Consider needs of the delivery of core o%erations0 such as s%ace:facilities0 'perational utilities0 %ersonnel0 student services0 information systems 4eputationalConsider %olitical and outside %erce%tion of unit and university "6oodwill" Consider what needs to be done to maintain and enhance units and universities 6trate!ic com%etitiveness in the industry by focusing on achieving strategic initiatives and mission. /echnolo!y #cademic and administrative information systems and infrastructure 4isk Factor 4isk /ype#s (efinition 8e%utational 'inancial Management effectiveness0 tone at the to%0 e %erience of Control $%erational staff0 %olicies and %rocedures0 change and %revious audit 8n ironment /echnology results. Com%liance /he im%act on the %restige and standing of the university in 8e%utationalterms of students0 alumni0 donors or the general %ublic1 and 4eputation/:e!al Gegal includes such things as failure to com%ly with regulations or Impact Com%liance ina%%ro%riate handling of sensitive information or involvement with controversial %rograms or research. /he im%act on the effectiveness and efficiency of o%erations0 $%erational 'perations including com%le ity of o%erations0 %erformance0 and /echnology Impact safeguarding resources. 8is! relating to organization's 'inancial system0 %rocesses0 technology0 and %eo%le. 7trategic /he im%act on obtaining high+level goals and the ris!s 6trate!ic Impact 8e%utationalrelating to strategy0 %olitical0 and economic conditions. $%erational /he im%act on the financial statements and the %otential for Financial Impact 'inancial significant fraud. 2niversity auditors and senior management rate ris! factors to determine their im%ortance0 and from these evaluations0 we weight the factors according to their im%ortance. Another step in the ris! assessment %rocess is to organize the s%rawling university organizational structure into "auditable units." /he university is not a static organization. .ecause we have restructuring and new initiatives0 we loo! at the university's structure each time we do a ris! assessment. "t's not efficient to %erform se%arate audits of each discrete unit of the university0 so we combine them in logical ways to reduce the number of units to a manageable level0 for the %ur%oses of both evaluation and auditing. 2nits may be combined on the basis of re%orting relationshi%0 or because they are %erforming similar functions.

/he assessment process really gets underway when we gather data on each unit. We also as! selected university staff to rate the units on each factor and combine these ratings to come u% with an overall score for the unit. .ased on these scores0 we determine where we will s%end our time over the ne t year. $f course0 we allow for some slac! time in case we are as!ed to %rovide in%ut on changes to university systems0 or if we need to loo! into an allegation of defalcation. &efalcation is white+collar crime0 fraud0 misuse of university resources.

Ithaca Campus Audita$le 5nits

Financial Control 5nits

#ccounting and 8e%orting .ursar Ca%ital #ssets "/ 7ystems 'H# 8ate )"ndirect Cost 8ate* 'inancial #id "nvestments 4ayroll 4lanning and .udget 4urchasing /reasury and Cash Management /rusts and 5states 2niversity .usiness 7ervice Center )2.7C*

Information /echnolo!y

#lumni #ffairs H &evelo%ment:Contributor #ffairs 7ystem )4eo%le7oft* #cademic /echnology 7ervices and 2ser 7u%%ort #ccounting "/ 7ystems )J5M70 6G and Hy%erion 7ystem* .enefits #dministration 7ystem )4eo%le7oft* .ursar 7ystems )4eo%le7oft* C"/ 7ecurity $ffice #udit C"/ 7ystems and $%eration C"/ Web 7ervices &ata 9etwor! and /ele%hone .illing "/ 7ystems e+Commerce and 4C" Credit Card Com%liance 'inancial #id )4eo%le7oft* "nformation 7ystems + #%%lications:Custom #%%lication "nformation 7ystems + &ata #dministration and &ata &elivery "nformation 7ystems + "nfrastructure "nformation 7ystems + 4lanning 4ro,ects and #nalysis Iuali )4re+"m%lementation 8eview* Mainframe 7ecurity 9etwor! and Communication 7ervices 9etwor! $%erations Center $racle &atabase 7ecurity 4eo%le7oft #%%lication and 7ecurity

4urchasing "/ 7ystems 8esearch #dministration "/ 7ystems 7ecurity of &atamarts and 5nter%rise &ata Warehouses 7ecurity of 5J .ac!u% and &ata 7torage 7tudent 8ecords 7ystem )4eo%le7oft* Web 'inancials Wireless 9etwor!

Institutional Concern

#dditional 4ay #nimal 2se in 8esearch Conflicts of "nterest and Commitment &ata Classification and 4rivacy 5ffort 8e%orting 5mail 7ecurity 5mergency 4re%aredness0 .usiness Continuity and &isaster 8ecovery 5 ecutive /ravel and Charter Jet 6ifts + 4rocessing and #ccounting Human 7ub,ect 2se in 8esearch "dentity Management "nternational 4rograms "/ + Change Control and Change Management 8echarge and 7ervice Center 8ates 7oftware Gicensing 7%onsored 4rogram /ransactions 7ystems &evelo%ment Methodology

Institutional 6upport

#dmissions #thletics and 4hysical 5ducation CC/5C "nternational 7tudent 7ervices $ffice )75?"7* Johnson Museum Gibraries 7tudent and #cademic 7ervices

Instruction and Academic 5nit

College of #griculture H Gife 7ciences College of #rchitecture0 #rt and 4lanning College of #rts H 7ciences College of 5ngineering College of Hotel #dministration H 7tatler Hotel College of Human 5cology College of "ndustrial and Gabor 8elations College of ?eterinary Medicine Com%uting and "nformation 7cience

Coo%erative 5 tension Cornell Gaw 7chool Cornell 2niversity Hos%ital for #nimals 6eneva 5 %eriment 7tation 6raduate 7chool Johnson 6raduate 7chool of Management Gab of $rnithology

4esearch Centers

#nimal 2se in 8esearch 5ffort 8e%orting 6rant /ransactions Human 7ub,ect 2se in 8esearch 9#"C+#recibo $ffice of 8esearch0 "ntegrity0 and #ssurance )$8"#* 8echarge and 7ervice Center 8ates 8esearch .7C 7%onsored 4rogram 7ervices )747*

6er ice 5nits

.enefits #dministration Cam%us Gife Cornell 7tore C2 4olice 5nvironmental Com%liance 5nvironmental0 Health and 7afety 'acilities 7ervices and 2tilities 'inance and #dministration .7C 6annett Health 7ervices $H8 H #cademic 4ersonnel $ffice $"/:C"/ .usiness 7ervice Center 4lanning0 &esign H Construction and Contracts $ffice 8eal 5state 8is! Management /rans%ortation and Mail 7ervices

6u$sidiaries

Cornell Club e+Cornell

Weill Cornell 3edical Colle!e Audita$le 5nits

.asic 6ciences 5nit

.iochemistry

Cell H &evelo%mental .iology 6enetic Medicine Microbiology and "mmunology 4harmacology 4hysiology and .io%hysics

Clinical 6er ices 5nit

#nesthesiology Cardiothoracic 7urgery &ermatology Medicine 9eurological 7urgery 9eurology and 9euroscience $bstetrics and 6ynecology $%hthalmology $torhinolaryngology 4athology and Gaboratory 7ervices 4ediatrics 4sychiatry 4ublic Health 8adiology including 9ew8ad )new ,oint venture w: 9;+4H * and 7ubsidiaries 8ehabilitation Medicine 8e%roductive Medicine and "nfertility 7urgery 2rology

Financial Control 5nits

Controller's $ffice 7#4 'inancial Controls 8eview

Information /echnolo!y

Change Control and Change Management &atamart 7ecurity 5lectronic Medical 8ecords )5M8* 5%icCare 7ystem 65+C. )%hysician billing system* + 'ormerly "&K ).illing0 #40 7cheduling*0 H"4## )4rivacy and 7ecurity* "dentity Management "/7 6eneral Controls G&#4 #ctive &irectory 4C" Credit Card Com%liance 8esearch and 7%onsored 4rograms "/ 7ystems #udit 7#4 )4re+"m%lementation 8eview* ?oice over "4 )?o"4* #udit Wireless 9etwor!

Institutional Concern

#nimal 2se in 8esearch Conflicts of "nterest and Commitment 5mail 7ecurity 5mergency 4re%aredness0 .usiness Continuity and &isaster 8ecovery 5 ecutive /ravel 6ifts+4rocessing and #ccounting H"4## 4rivacy and 7ecurity Human 7ub,ect 2se in 8esearch "nternational "nitiatives 8echarge and 7ervice Center 8ates 7u%%lementary Com%ensation /ime and 5ffort 8e%orting

Institutional 6upport

#cademic #ffairs 4ublic #ffairs

Instruction ; Academic 5nit

6raduate 7chool and /ri+"nstitutional 4rogram

4esearch Centers

8esearch and 7%onsored 4rograms

6er ice 5nits

.enefactor system 5nvironmental Com%liance and Health H 7afety 'acilities and Ca%ital 4lanning 6eneral 'inancial0 "/ 7ystems and 7ecurity #udit MC .illing Com%liance #udit )M& #udit* 4hysicians $rganization 8is! Management:MC"C