Audit Division

The Audit Division delivers audit services through a risk-based program of audit coverage including compliance assessments and financial, operational, and information technology reviews and audits. These efforts, in coordination with the Institute's external auditors, provide assurance to management and the Auditing Committee that good business practices and policies are adhered to, adequate internal controls are maintained, and assets are properly safeguarded.

The Audit Division was fully resourced, employing 13 professional staff, at the beginning of FY2003, operating around four functional teams responsible for distinct areas of the Audit Plan: Financial and Compliance Review, Operational Audit, Information Technology Audit, and Construction Audit. Information Technology audit resources provide support to the other teams, thereby integrating systems expertise into examination of business processes. The division also houses a specialized function, Professional Standards and Strategy, staffed by an experienced member of the division with the title associate audit manager to lead it. Working with the Institute auditor and the audit manager, this function guides the division in setting policy and direction to help us achieve our long-term goal of becoming MIT's world-class audit function.

Sadly this year, the Audit Division notes the untimely death of John V. Cormier (Jack), senior information technology auditor. Jack joined the Audit Division in early January 2002, and worked ambitiously on several reviews and audits, as well as leading an intradepartmental focus group on Audit Communications. We valued his work and his presence in our division even for a short period of time. On a happier note, Glenn T. Date was promoted to the level of senior internal auditor, working on the Financial and Compliance Review team.

The Audit Division's scope of services encompasses the full extent of MIT's auditable activities. Allocation of audit resources across this broad spectrum is accomplished via a model for evaluating risks associated with individual units and/or operational processes, thereby determining a cycle of audit review. The resulting annual Audit Plan guides the assignment and completion of work, which is heavily biased (approximately 30 percent of audit resources, measured in available staff hours) toward assuring compliance with financial controls and requirements of research sponsors within individual academic, research, and administrative units. Audit review of capital construction projects has become an increasingly important part of the plan (approximately 10 percent), with remaining time devoted to audits and reviews of operational processes, uses of technology, and special projects. Time is also specifically allocated to staff development.

During FY2003, specific contracts and grants in the Schools of Engineering, Science, and Management (Sloan) were reviewed for compliance with federal and/or industrially sponsored regulations and/or provisions. Several departments in the School of Science, five departments in Libraries, and 10 departments under the Executive Vice President's Office were also reviewed for compliance with Institute guidelines for financial accountability. Isolated exceptions, correctable in the normal course of business, were addressed to individual departments, labs, or centers, and we are collaborating with the respective Dean's offices in identifying areas for targeted education and oversight. We also conducted a first-time review of executive travel expenses, which identified some cost-saving opportunities in addition to prompting internal discussion of the efficiency and effectiveness of existing review and approval processes.

Operational controls were examined in the areas of Accounts Payable and Lincoln Lab Fiscal Office's cash, general accounting, and travel processes. For a second consecutive year, several members of the Audit Division, in collaboration with a staff member from the Controller's Accounting Office monitored the MIT Press's full physical inventory to ensure that adequate control over the MIT Press's bound book inventory is maintained.

From time to time the Audit Division takes on special reviews that are initiated at the request of senior management, or in recognition of changing circumstances or situations that pose unusual risk to the Institute. In 2003, these reviews included assistance to the Alumni Travel Office in establishing a new accounting record keeping process, as well as several investigations of alleged misappropriation of funds. Finally, upon executive request, the Operational Audit Team and the Information Technology Audit Team collaboratively performed an extensive review of The Tech's business transactions, identifying opportunities for creating more accountability for The Tech and the other student groups' activities.

Construction audit activities have focused on multiple capital projects, representing nearly $1,081 million in project costs. These reviews seek to verify that all costs to the Institute are legitimate, complete, and appropriate in accordance with the final contracts and all related change orders. Reviews have identified potential recoveries and questioned costs of approximately $2.3 million, of which approximately $1.7 million of cost reductions have been negotiated by management with the contractor. In addition, a targeted review of cost and schedule of a major project was performed at the request of the executive vice president. The construction audit process employs the services of several external audit firms, with both local and national presence. Selection of firms is based upon prior experience with the Institute and the project's construction management, in a competitive bidding process. The division's Construction Audit Specialist consults regularly with project managers on the status of projects and to identify areas of potential exposure that may be avoided contractually or with modifications in practices.

Our Information Technology (IT) auditors have been welcome additions to several endeavors on the technology front, including involvement in the SAP HR-Payroll module implementation, and the Lincoln Lab SAP Financial, Purchasing, Plant Maintenance, and HR-Payroll implementations. In addition to adding value to these development projects, this group has completed reviews of controls in the Data Center, as well as an audit of Institute-wide telecommunication and network controls. IT reviews addressing controls over disaster recovery planning, system administration, logical and physical security, software licensing, virus protection, and telecommunications were also performed for the following units: Chemistry, Mathematics, the Laboratory for Nuclear Science, Research Laboratory of Electronics, Mechanical Engineering, MIT Medical, the Libraries, and the Division of Student Life. Also, review of compliance with the Institute's new e-commerce policy was also completed. In an effort to educate system administrators of the goals of the IT audit group, a presentation describing the IT audit function was given at the 2002 IT Partners Conference.

In addition, we have actively participated in the environmental health and safety initiatives undertaken in connection with the consent decree with the US Environmental Protection Agency and the Justice Department. This commitment will continue in the upcoming year, as the division's audit manager is integrally involved with the team responsible for design, development, and implementation of the audit component of the Environmental Health and Safety Management System. The IT audit supervisor is also a team member of the EHS Inventory Committee, which is working to determine how best to inventory and categorize hazardous chemicals used throughout the campus. Involvement by the Audit Division in this and the above systems development projects demonstrates the division's willingness to foster positive change as part of a management effort, in addition to fulfilling the traditional role of independent assessor.

Owing to considerable success in recruiting activities, the division's operations were less severely impacted by unfilled positions than in prior years, thus diminishing the need to draw on outside resources to fulfill the obligations of the Audit Plan. To gain access to expertise not available from our permanent resources, we may in the future, with the support of executive management and the MIT Auditing Committee, selectively retain contract help to assist with work in specialized areas, as well as to carry out our construction audit program. For this reason, we maintain relationships with various strategic partners who provide audit services, should future needs arise.

The audit management team continues to explore and compare internal administrative practices for audit plan development, audit methodology and uses of technology to "best practice" standards, and to consider opportunities to better leverage existing resources while meeting the Institute's goals for the division. Early in this fiscal year, audit management committed energy and resources to a comprehensive action plan for division-wide improvement of operational standards. These standards include: audit methodology, classification of audit findings, engagement supervision and review, reporting to senior management and the Auditing Committee, and management responses and audit follow up. We also mapped our desired audit methodology, which prescribes a more thorough planning phase than has been called for in the past. Two intradepartmental focus groups concentrated on themes of communications and relationships, and their recommendations were incorporated in discussion around standards. At the close of the year the division was performing up to the level called for by the new operational standards described above, with other practices coming under examination in fiscal year 2004.

The division continues the use of a software package enabling automation of administrative aspects of the audit process (work papers, scheduling, time tracking, and record keeping of audit findings). This not only positions the division on a par with peers for automation, but it also provides the foundation for "industrial-strength" measurement, monitoring, and reporting to the MIT Auditing Committee on status and results of the Audit Division's activities.

The role of audit committees in both public and not-for-profit organizations is being better defined by members of the audit profession and others taking a strong interest in matters of institutional governance. The MIT Auditing Committee now meets three times per year, to permit additional time to discuss topics of interest in concert with their mission. The committee also adopted a charter that will lend momentum to the Audit Division's goals for monitoring internal controls and supporting the Institute's risk management processes, as well as formalizing the committee's operations and obligations. We were pleased to be joined at a half-day educational meeting of our staff in January by A. Neil Pappalardo and Dr. Norman E. Gaut, chairman and member, respectively, of MIT's Auditing Committee. This valuable interaction between the Audit Committee and the Audit Division helps the division chart its course in close alignment with the governance goals of the committee. This discussion with Neil and Norm underscored the need to address the complexity of Institute business processes with a balanced, cost effective audit approach. Further, our role as integrator is critical to reducing of overlaps and increasing cooperation and synergy.

The most recent development in corporate governance was the July 2002 passage into law of the Sarbanes-Oxley Act. While the Act does not apply to not-for-profit organizations, institutions of higher education note that this law causes a shift in the external context of institutional best practices. The Institute auditor currently serves on a task force sponsored by the National Association of College and University Business Officers (NACUBO); this task force is developing material to be included in an advisory report to be issued by NACUBO, providing best practice guidance for institutions of higher education within the context of Sarbanes-Oxley.

We emphasize professional development on the part of all our staff. Members of the audit staff find opportunities for training in their discipline and affiliate with industry peers through conferences, seminars, and group meetings. The Institute auditor is a member of the "Little 10+" association of Ivy League and other peer institutions, which meets semiannually. The Information Technology audit team participated in a similar program of IT audit peers. In April, the Institute auditor presented on "Leveraging Relationships with Management and the Audit Committee" at the 14th Annual Superstrategies Audit Best Practices Conference hosted by the MIS Training Institute. Six of our staff members also attended this conference.

From time to time members of the division's staff serve on task forces and committees in support of MIT community initiatives. Notably, in 2003 Sandra Manassa, senior information technology auditor, was appointed to the Council on Family and Work for a three-year term.

The Institute auditor is an active participant in several operating management groups. As a member of the executive vice president's Senior Management Team and the Administrative Systems and Policies Coordinating Council (ASPCC), the Institute auditor lends expertise in risk management and control in addition to staying abreast of new developments in broader Institute initiatives. The Institute Auditor is also a member of the Budget and Finance Steering Group (BFSG), providing an additional link between internal operations and the oversight activities of the Auditing Committee in financial affairs of the Institute.

The Institute auditor also chairs the Central Authorizer (CA) Oversight Committee, which works with the Business Liaison Team (BLT) in their dual capacity as the "Central Authorizer," or central clearinghouse for system authorizations maintained in the Roles Database, the central system of record for certain authorizations. The CA Oversight Committee comprises members of the CA/BLT, the Controller's Accounting Office (CAO), Information Systems (I/S), Financial Systems Services (FSS), and, recent additions, representatives of the provost's Office and the School of Architecture. The CA Oversight Committee works with the CA to facilitate and support the ongoing use of the Roles Database for maintaining authorizations and to promote the further deployment of the Roles model for other business processes' systems authorizations.

The Audit Division has taken several steps to echo the executive vice president's five broad themes for MIT administration within internal operations and audit practices. First among these is client orientation. Supporting our primary client, the MIT Auditing Committee, while providing value-added audit services Institute-wide, has been a longstanding commitment of the Audit Division, one that is met through careful attention to the concerns and potential exposures that face the administrative and academic staff and the faculty, researchers, and senior Institute personnel they serve.

The second theme, collaboration, has been demonstrated particularly in our approach to construction audit; this responsibility can only be met through close involvement by the audit team in the affairs of the Capital Projects group and project management. Our efforts in system implementation projects have also been carried out through strong collaboration, a mode which advances the needs of the auditor as well those of the overall project. Collaboration was vital to the success of the MIT Press physical inventory, where individuals representing three groups, the Controller's Accounting Office, the Press, and Audit all joined to accomplish the joint goal of completing the task on schedule.

Sustainability is the third theme. Business solutions to audit findings must, as a first priority, address the noted problem; to do this in a sustainable manner is the ultimate goal. Often management accountability (the fourth theme), reinforced through ongoing measurement, monitoring, and reporting processes is a necessary ingredient in a sustainable solution. Improving and supporting management accountability is a goal for audit management in the upcoming year.

Professionalism is the fifth theme. Professionalism on the part of individuals comprising the Audit Division, as well as within the practices for the conduct of audit work, is an assumed standard for the internal audit function of an institution such as MIT. We recruit and retain people with professional certifications, support the ongoing maintenance of such certifications, and through communication and development nurture their understanding of their obligations as MIT internal auditors. A current theme at the division's semiannual offsite meetings is defining "Best Practices for MIT's World Class Audit Function," and charting our course for implementing those practices. Through the dedication and professionalism of the current team, we believe this is an achievable standard of excellence.

Deborah L. Fisher
Institute Auditor

 

return to top
Table of Contents