Frequently Asked Questions

Financial, Operational & Compliance Audit
Information Systems Audit
Insurance
Risk Management
Regulations

Financial, Operational & Compliance Audit

How are audits selected?
University audits are selected through a risk assessment process. RMAS communicates with schools, departments and University management to identify and prioritize operational, financial and compliance risks to the University. The specific audit projects for the year are chosen based on these assessed risk factors. The final plan is also evaluated to ensure adequate representation of schools, departments and affiliates.

What should I expect during an audit?
There are four distinct phases to an audit at the University and an understanding of these phases will help you to understand the process:

Planning

  • An announcement letter is sent to the department/unit informing them of the audit project. This letter will provide details on the timeframe and the name of the managing auditor and auditing team assigned to the project.
  • The managing auditor will interview key personnel in the department to learn more about the operations.
  • The Scope Document is prepared and presented to management as a contract for the work to be performed. This document will outline the objectives and parameters of the audit project.

Field Work

  • Auditors schedule times to interview individuals responsible for maintaining and preparing financial and operational reports.
  • Analytical audit techniques are used to test, analyze, interpret and corroborate documentation of controls.
  • Regular update meetings are scheduled during field work to communicate progress to date and to discuss potential findings.

Communication of Results

  • The distribution list for the audit report is included on the Objective and Scope Document Report. University Audits are confidential and go only to those people who need to know.
  • The results of the draft audit, findings and recommendations are submitted to management for discussion in draft report at an "exit meeting."A 10-day comment period is used by the auditors to allow the department to respond in writing to facts and recommended actions in the report.
  • The final report goes to the managers of the area, their supervisors and, for school related reports, to the Financial Dean of the school. In addition, the Vice President for Finance and the Partner at PricewaterhouseCoopers, LLP assigned to the University account receive the report.

Follow-up

  • Significant issues in a final audit report could warrant a Post-Audit Appraisal (PAA) at a later date.
  • PAA’s are usually conducted within 18 months of the full audit, and the results are published in a written report.

How long will my audit take?
Audits are typically scheduled for three months from beginning to end, which includes four weeks of planning, four weeks of fieldwork and four weeks of compiling the audit report. The auditors are generally working on multiple projects in addition to your audit. The auditors' time will be divided among all of their projects, with some weeks heavily focused on your audit and other weeks less focused on your audit.

How much of my time will the audit require?
The time required for the audit will vary depending on the size, complexity and strength of the organization's internal controls. For each audit, there will be an individual within your organization who will act as our main contact for the duration of the audit. The main contact will be responsible for meeting with us to help determine the scope of the audit, gathering requested documentation, discuss our audit findings and helping develop “agreed-to actions” , reviewing and approving the final audit report. We will also need to meet with other key personnel during planning and fieldwork to improve our understanding of business processes. Each client meeting generally lasts one to three hours depending on the subject matter.

Why aren't good practices sited in an audit report?
The objectives of an audit report are to tell what was found, convince management of the work and validity of the findings and move management toward change and improvement. To accomplish these objectives, audit findings that strengthen the control environment and require management action are given the most attention. However, the report must also be objective and offer an unbiased view of the control environment. This is accomplished in the summary section of the report where an overall assessment of the internal controls is provided, e.g., good, adequate, needs improvement or inadequate. Additionally, a short paragraph will offer the reader an overall assessment and could mention some of the stronger controls in the organization.

Who gets copies of audit reports?
In general, an audit report is issued to those in a position to see that corrective actions are taken and those with a need to know. Generally, this includes the department/function management team, Finance Dean, RMAS Director, Vice President of Finance and the PricewaterhouseCoopers Partner on the Harvard account. The report may also be distributed to those individuals who have significant responsibility for the audit area e.g. Office of Sponsored Research for award management audits.

How confidential is my report?
Your report is issued to those on the distribution list and its content is held in confidence within RMAS. The distribution of reports to others that may request a copy must be approved by the RMAS Director. This restriction prevents an indiscriminate broadcasting of reported information to people without a need to know.

May I request an audit?
You may contact the audit department if you feel you are a good candidate for an audit. Depending on the urgency of the request and our availability, we might be able to schedule you for an audit in the current year. More likely, your request will be put on a list of potential audits for the following fiscal year. When we create our annual audit plan at the beginning of the following fiscal year, we will consider your group along with other groups who requested audits or who were identified as high risk.

Who audits RMAS?
RMAS adheres to the International Standards for the Professional Practice of Internal Auditing, which require an external assessment once every five years by a qualified, independent review team. We were reviewed in the summer of 2006. The review team consisted of executives from Raytheon, Duke University, Indiana University and Northwestern University. The review team was assisted by PricewaterhouseCoopers.

Who does RMAS report to?
We administratively report to the Vice President for Finance and CFO, and we receive operating authority from, and are responsible to, the Joint Committee on Inspection. We meet with the Joint Committee on Inspection at least four times per year and provide an annual report on our work and the existing financial, operational, compliance and reputational risks of the University.

Information Systems Audit

What is an IT Governance audit?
An IT Governance audit evaluates an IT organization’s strategic and operational alignment with its enterprise’s business strategy, ensuring that IT is supporting the organization’s overall goals while measuring IT delivery performance and transparently reporting the results.

This type of audit will assess how an IT organization is functioning overall, what key metrics management needs and what value it provides to the enterprise. According to the IT Governance Institute, there are five focus areas:

  • Strategic alignment: Linking business and IT so they work well together
  • Value delivery: Making sure that the IT department does what’s necessary to deliver the benefits promised at the beginning of a project or investment.
  • Resource management: Ensuring that resources are managed effectively and efficiently.
  • Risk management: Establishing a formal risk framework that puts some rigor around how IT measures, accepts, manages and reports risk approach.
  • Performance measures: Putting structure around both qualitatively and quantitatively measuring IT performance.

RMAS uses the COBIT (Control Objectives for Information and related Technology) framework, an international standard that assesses IT governance. Basically, COBIT is a comprehensive set of governance control objectives focused on risk and mitigation. These objectives introduce good control practices that integrate business requirements with IT delivery.

What is a Systems Audit?
An information systems audit performed by RMAS is a comprehensive examination of a given targeted system. The audit consists of an evaluation of the components which comprise that system, with examination and testing in the following areas:

  • High-level systems architecture review
  • Business process mapping (e.g. determining information systems dependency with respect to user business processes)
  • End user identity management (e.g. authentication mechanisms, password standards, roles limiting or granting systems functionality)
  • Operating systems configurations (e.g. services hardening)
  • Application security controls
  • Database access controls (e.g. database configuration, account access to the database, roles defined in the database)
  • Anti-virus/Anti-malware controls
  • Network controls (e.g. running configurations on switches and routers, use of Access control lists, and firewall rules)
  • Logging and auditing systems and processes
  • IT privileged access control (e.g. System Administrator or root access)
  • IT processes in support of the system (e.g. user account reviews, change management)
  • Backup/Restore procedures

The general mechanics of the audit consist of sampling configuration and log files, with subsequent interviews with key personnel. Additionally, RMAS performs testing with regard to identified key controls, and may require the creation of user accounts such that RMAS auditors may more thoroughly peruse the system and determine the efficacy of implemented controls. Further, a subset of integration testing may be performed against test or staging environments to assure controls that the general user may experience are in place and functioning as described and expected.

While much of the evaluation performed in an information systems audit is heavily focused on the IT general control environment for the given system, interviews with primary the primary users or information owners may be conducted. Inquiry into the user community would be performed to determine general user acceptance of the system and to determine service expectations with regard to the system.

What is an Integrated Audit?
An integrated audit considers information technology, financial and operational controls as mutually dependent for establishing an effective and efficient internal control environment.

From an information technology perspective, the objective is to assure that information technology controls are effective and efficient to support the business process. From a financial and operational perspective, the objective is to assure that financial and operational controls are effective and efficient to support the business process. Even though issues may not be identified in financial and operational controls, issues identified in information technology may negate the effectiveness of the financial and operational controls and visa versa. Therefore for an integrated audit, all perspectives need to be considered since information technology, financial and operational issues can significantly impact the achievement of management’s objectives of safeguarding information system assets and ensuring reliability and integrity of information.

The integrated audit includes an audit of the applications, servers, and network configurations that support the business process. The examination and testing of the application, servers, and network configuration are similar to that of an information systems audit.

Additionally, the information system and the financial and operational auditors collaboratively consider the following as they relate to the business process being examined:

  • The business and information processing risks and controls are understood and agreed upon by the business owners, information technology delivery and support organization, and the integrated audit team.
  • Manual and automated feeds, system interfaces, and communications are accurate, timely and secure.
  • Manual and automated transactions are approved, timely and accurately processed.
  • Information is secure and privacy controls are in compliance with current regulations and University standards.
  • Disaster recovery plans and business continuity plans provide reasonable assurance that both the system and business operations can recover and continue when a system or business interruption occurs.
  • Program changes are authorized, tested, approved and migrated to production as prescribed by the business process owners.

The business process owner is ultimately responsible for ensuring information technology and financial and operational controls are implemented, effective and efficient.

Are there systems security standards?
University Information Security Standards can be found on the University Security Web site.

Who should I call if I experience a security breach?
Call or email the Network Security Incident Response Team (NSIRT) of University Information Systems (UIS). Call 496-4736 at any time. During business hours (Monday to Friday 8 a.m. to 6 p.m.), a staff member will take your call. After hours you can leave a voice mail to page the on-call engineer. A team member can assist you in further evaluating the situation and determining what follow-up actions to take.

What does an Information Systems audit entail?
The purpose of an audit is to evaluate the system controls that deal with security, access, user management, and data integrity.

Insurance

How does the University's self-insurance programs work?
The University has a self-insured program for property, liability and automobiles. In the Self-Insured Property Program, a reserve is set up to fund for University losses, third party claim payments and to pay the premiums for excess insurance. Each fiscal year departments are charged a property and liability premium, allocated per building, to maintain the property and liability reserve. Departments with University vehicles are charged an annual premium per vehicle to maintain the auto reserve.

The Self-Insured Property Program is structured as closely as possible on commercial insurance guidelines as regards coverages and exclusions.

What if a loss or damage occurs to a Harvard building?
Emergency repairs and other reasonable steps should be taken to protect the property from further damage. As soon as possible notify the Insurance Department of the details of the loss, by telephone (617-495-8668) and also submit a Property Loss Report FormWord icon. Further repairs should not be started until the scope of work and estimated costs for repairs have been agreed upon between the department and the Insurance Department.

Will insurance pay all of a department's repair/replacement costs after a loss?
Insurance reimburses the cost to repair or replace with like-kind or quality. Every attempt is made to reimburse the department the costs to put the building back to the condition it was in prior to the loss. A department may incur some costs not covered by insurance since there are normal limitations and exclusions to the policy. The Insurance Department will explain the coverage in more detail when determining the scope.

Are building contents automatically insured on the University's Property Policy?
Yes, there is limited coverage for contents on this policy, $250,000 per building. These contents must be University owned and the policy excludes losses due to theft. Departments can insure equipment and contents for a higher limit and include losses due to theft by purchasing additional contents insurance (Open Marine Policy). This insurance can be obtained by contacting the Insurance Department.

What if someone is injured on our premises?
Harvard employees are instructed to ask the injured person if he/she needs assistance. If possible let the injured person tell you what he/she wants to do. If medical attention is required call 9-911. Offer to call a family member or a friend and contact HUPD for assistance. Employees should never make a statement regarding liability or payment of bills. The Insurance Department should be notified of all incidents involving bodily injury to a third party (student, visitor or guest) as soon as possible by telephone (617-495-8668) and an Employee Incident Report Formpdf icon should also be submitted.

What if a tenant, student or employee wants to be reimbursed for damage to personal property?
You can instruct person(s) wishing to file a claim to contact the Insurance Department directly by telephone or by submitting a Claimant Incident Report Formpdf icon. Claims for damage to personal property are sent to our liability carrier to determine whether there is negligence on the part of the University. Our insurance company will investigate the incident and arrange the settlement or denial of any claims. Refer to the section on Comprehensive General Liability for further information.

What if a department wants to buy, sell or lease a vehicle?
Contact the Insurance Department for instructions prior to buying, selling or leasing a vehicle. The Insurance Department will process the registration, insure the vehicle on the University's Automobile Insurance Policy and provide guidelines on the use of vehicles, driver training and authorizing drivers.

What should a driver do if an accident occurs while driving a University vehicle?
In the event an accident occurs the driver should do the following:

  1. DO NOT ADMIT LIABILITY TO ANYONE.
  2. Exchange vehicle information with the other driver - name, address, license number, plate number, year, make, model of car, name of Insurance Company.
  3. f necessary, contact HUPD or the local police.
  4. Report all accidents immediately to Insurance Department, 617-495-8668, FAX 617-496-0505.
  5. Submit Auto Accident Report FormExcel icon to Insurance Department.
  6. If a Harvard employee is injured, he/she should file a report with the Department of Human Resources - Worker's Compensation, Holyoke 6th Floor, tel. 617-495-2786, FAX 617-496-3998.

Risk Management

What is risk management?
Risk management is a process of proactively identifying issues and assessing their potential impact on the University. Taking a proactive approach allows the University to anticipate risk and make informed business decisions. Depending on the circumstances, the University may choose to either avoid risk or assume it.

What types of risk is the University concerned about?
While we often associate risk with financial matters, e.g. investments, insurance, loss prevention, there are many types of risk. The University broadly defines risk as any issue that could impact the University's ability to meet its business objectives. In other words, risk applies to many different aspects of our work.

Specifically, the University is concerned with five risk areas.

  • Compliance - Compliance risks involves violation of either federal or state laws and regulations. For example, not adhering to the Fair Labor Standards Act requirements.
  • Financial - Financial risks involve loss of assets. For example, personal use of the PCard.
  • Operational - Operational risks involve interruption or cessation of business activities. For example, loss of utilities.
  • Life Safety - Life safety risks involves personal injury or death. For example, a sports injury.
  • Reputational - Reputational risks involve tarnishing the University's name. For example, negative press releases.

Who manages risk at the University?
Some departments are responsible for managing specific risk areas. For example, the Office of Human Resources manages employment risks. Similarly, Environmental, Health & Safety consults on environmental risks.

However, as employees or agents of the University, we are all risk managers. What does that mean? Whether "risk manager" is in our job title or job description is irrelevant. We all are presented with risk in the workplace. For example, we all have resources at our discretion, such as staff, finances, property and information. What we do or do not do with those resources can either create or mitigate risk.

What is my role in managing risk
You have two roles in managing risk. The first role is to be aware of and understand what areas of risk are present in your current position. For example, if you manage people you need to consider employment laws, discrimination laws and union contracts. You also need to consider the University's policies and practices around hiring, firing and creating a safe work environment.

Once you know your risk areas, you need to consider the implications of these risks on yourself, your department and the University. This second role in managing risk requires that you to assess each situation and that you anticipate the consequences of your actions. How do you make such an assessment? Ask your self the following questions:

  • Is this action legal? If it is not legal, stop here.
  • Does this action meet the University's standards?
  • Does this action meet my professional standards?
  • Does the "golden rule" apply? How would I feel if I were treated this way?
  • How would this look on the front page of the newspaper?

These questions provide a framework to assess risk. If you still do not know what to do, you should seek guidance. The University has many resources to assist you with your decision-making processes. Such resources include your Human Resources representative, the Office of General Counsel, the Office of Risk Management & Audit Services, Environmental, Health & Safety or the University Compliance Hotline.

What is the Risk Management Committee?
The Harvard Risk Management Committee (RMC) provides a forum for identification, discussion and resolution of major risks facing the University. The RMC is charged by the President and Provost to provide advice on:

  • How the University may assure that faculty and staff are aware of their legal and ethical responsibilities as members of the Harvard community
  • What steps should be taken to establish and codify University-wide standards of conduct
  • Coordinating and disseminating information regarding training, oversight functions, and internal controls, especially in areas subject to regulations
  • Facilitating inter-faculty collaboration and support of risk identification and mitigation strategies

The RMC is endorsed by the President, Provost and Joint Committee on Inspection and represents an integral part of the University's compliance initiative. This committee generally meets three to four times a year and is chaired by the University's General Counsel. Membership is comprised of senior administrators and faculty from across Harvard University. The RMC is staffed by RMAS' CRM Group.

What is the role of the Joint Committee on Inspection?
The Joint Committee on Inspection (JCI) is Harvard's audit committee. The JCI has oversight responsibilities for all financial, operational and compliance matters and any issues and risks as a result of control weaknesses in these areas. The JCI reports to the President and Fellows of Harvard College (the "Corporation") and fulfills its oversight responsibilities by reviewing compliance, financial and operational information to be reported and the systems of internal controls established within the University and the audit process.

In the conduct of its business, the committee generally meets four times a year. In fiscal year 2001, the committee adopted a charter which outlines the committee's general responsibilities. The JCI consists of two representatives of the Corporation and three representatives of the Board of Overseers of Harvard College.

Regulations

If I have a grant or contract with the federal government, are there any laws I should be concerned with?
Yes, the Federal Civil False Claims Act applies to individuals and corporations that do business with the federal government. The Federal Civil False Claims Act is an anti-fraud law. Under the Act, an individual or corporation is liable if they knew or should have known that they submitted a false claim to the federal government.

If I have international business travel, are there any laws I should be concerned with?
Yes, the Foreign Corrupt Practices Act applies to individuals or corporations who conduct business in a foreign country. The Foreign Corrupt Practices Act is often referred to as the anti-bribery law. Under the Act, an individual or corporation is prohibited from either directly or indirectly bribing a foreign official or foreign political office.

If I have a question about regulatory laws, who should I contact?
If you have questions about the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA) or any other regulatory law, please visit Harvard's Information Security and Privacy site, or for more information contact us, the Office of the General Counsel or your school’s IRB Administrator.