Skip to main content

more options

Audit Office

Risk Assessment Process

List of Auditable units

(developed from 2007 Risk Analysis Process)

Deciding where to audit at Cornell University is a process we re-examine periodically. Given the size of the University with its numerous individual operating units and our relatively small auditing staff, it is important that we allocate our available time to the areas with high risk exposures. This planning process also allows us to coordinate with external auditors to be sure that important areas are not overlooked, and that total audit costs for the organization are minimized.

The degree of risk associated with a given unit is often defined in financial terms. We take financial exposures into consideration, and consider any activities affecting the delivery of services to students, employees, alumni and sponsors, or are regulated by legislation, as exposures.

Risk - the uncertainty of an event occurring that could have an impact on the achievement of objectives.

Back to Top

The Risk Factors that enter into the risk assessment and priority of audits include:

Risk Type Definition
Compliance Labor Law Issues, HIPAA, Sponsoring agencies, employment.
Financial Budgets, financing, cash flow, sources and uses of funds, reporting
Legal Outside demands and restrictions, such as grants, data retention, data preservation
Operational Consider needs of the delivery of core operations, such as space/facilities, utilities, personnel, student services, information systems
Reputational Consider political and outside perception of unit and university "Goodwill"
Strategic Consider what needs to be done to maintain and enhance units and universities competitiveness in the industry by focusing on achieving strategic initiatives and mission.
Technology Academic and administrative information systems and infrastructure
Risk Factor Risk Type's Definition
Control Environment Reputational
Management effectiveness, tone at the top, experience of staff, policies and procedures, change and previous audit results.
Reputation/Legal Impact Reputational
The impact on the prestige and standing of the university in terms of students, alumni, donors or the general public; and includes such things as failure to comply with regulations or inappropriate handling of sensitive information or involvement with controversial programs or research.
Operations Impact Operational
The impact on the effectiveness and efficiency of operations, including complexity of operations, performance, and safeguarding resources. Risk relating to organization's system, processes, technology, and people.
Strategic Impact Strategic
The impact on obtaining high-level goals and the risks relating to strategy, political, and economic conditions.
Financial Impact Operational
The impact on the financial statements and the potential for significant fraud.

University auditors and senior management rate risk factors to determine their importance, and from these evaluations, we weight the factors according to their importance.

Another step in the risk assessment process is to organize the sprawling university organizational structure into "auditable units." The university is not a static organization. Because we have restructuring and new initiatives, we look at the university's structure each time we do a risk assessment. It's not efficient to perform separate audits of each discrete unit of the university, so we combine them in logical ways to reduce the number of units to a manageable level, for the purposes of both evaluation and auditing. Units may be combined on the basis of reporting relationship, or because they are performing similar functions.

The assessment process really gets underway when we gather data on each unit. We also ask selected university staff to rate the units on each factor and combine these ratings to come up with an overall score for the unit.

Based on these scores, we determine where we will spend our time over the next year. Of course, we allow for some slack time in case we are asked to provide input on changes to university systems, or if we need to look into an allegation of defalcation. Defalcation is white-collar crime, fraud, misuse of university resources.

Back to Top

Ithaca Campus Auditable Units

Financial Control Units

  • Accounting and Reporting
  • Bursar
  • Capital Assets IT Systems
  • F&A Rate (Indirect Cost Rate)
  • Financial Aid
  • Investments
  • Payroll
  • Planning and Budget
  • Purchasing
  • Treasury and Cash Management
  • Trusts and Estates
  • University Business Service Center (UBSC)

Information Technology

  • Alumni Affairs & Development/Contributor Affairs System (PeopleSoft)
  • Academic Technology Services and User Support
  • Accounting IT Systems (JEMS, GL and Hyperion System)
  • Benefits Administration System (PeopleSoft)
  • Bursar Systems (PeopleSoft)
  • CIT Security Office Audit
  • CIT Systems and Operation
  • CIT Web Services
  • Data Network and Telephone Billing IT Systems
  • e-Commerce and PCI Credit Card Compliance
  • Financial Aid (PeopleSoft)
  • Information Systems - Applications/Custom Application
  • Information Systems - Data Administration and Data Delivery
  • Information Systems - Infrastructure
  • Information Systems - Planning Projects and Analysis
  • Kuali (Pre-Implementation Review)
  • Mainframe Security
  • Network and Communication Services
  • Network Operations Center
  • Oracle Database Security
  • PeopleSoft Application and Security
  • Purchasing IT Systems
  • Research Administration IT Systems
  • Security of Datamarts and Enterprise Data Warehouses
  • Security of EZ Backup and Data Storage
  • Student Records System (PeopleSoft)
  • Web Financials
  • Wireless Network

Institutional Concern

  • Additional Pay
  • Animal Use in Research
  • Conflicts of Interest and Commitment
  • Data Classification and Privacy
  • Effort Reporting
  • Email Security
  • Emergency Preparedness, Business Continuity and Disaster Recovery
  • Executive Travel and Charter Jet
  • Gifts - Processing and Accounting
  • Human Subject Use in Research
  • Identity Management
  • International Programs
  • IT - Change Control and Change Management
  • Recharge and Service Center Rates
  • Software Licensing
  • Sponsored Program Transactions
  • Systems Development Methodology

Institutional Support

  • Admissions
  • Athletics and Physical Education
  • International Student Services Office (SEVIS)
  • Johnson Museum
  • Libraries
  • Student and Academic Services

Instruction and Academic Unit

  • College of Agriculture & Life Sciences
  • College of Architecture, Art and Planning
  • College of Arts & Sciences
  • College of Engineering
  • College of Hotel Administration & Statler Hotel
  • College of Human Ecology
  • College of Industrial and Labor Relations
  • College of Veterinary Medicine
  • Computing and Information Science
  • Cooperative Extension
  • Cornell Law School
  • Cornell University Hospital for Animals
  • Geneva Experiment Station
  • Graduate School
  • Johnson Graduate School of Management
  • Lab of Ornithology

Research Centers

  • Animal Use in Research
  • Effort Reporting
  • Grant Transactions
  • Human Subject Use in Research
  • NAIC-Arecibo
  • Office of Research, Integrity, and Assurance (ORIA)
  • Recharge and Service Center Rates
  • Research BSC
  • Sponsored Program Services (SPS)

Service Units

  • Benefits Administration
  • Campus Life
  • Cornell Store
  • CU Police
  • Environmental Compliance
  • Environmental, Health and Safety
  • Facilities Services and Utilities
  • Finance and Administration BSC
  • Gannett Health Services
  • OHR & Academic Personnel Office
  • OIT/CIT Business Service Center
  • Planning, Design & Construction and Contracts Office
  • Real Estate
  • Risk Management
  • Transportation and Mail Services


  • Cornell Club
  • e-Cornell

Back to Top

Weill Cornell Medical College Auditable Units

Basic Sciences Unit

  • Biochemistry
  • Cell & Developmental Biology
  • Genetic Medicine
  • Microbiology and Immunology
  • Pharmacology
  • Physiology and Biophysics

Clinical Services Unit

  • Anesthesiology
  • Cardiothoracic Surgery
  • Dermatology
  • Medicine
  • Neurological Surgery
  • Neurology and Neuroscience
  • Obstetrics and Gynecology
  • Ophthalmology
  • Otorhinolaryngology
  • Pathology and Laboratory Services
  • Pediatrics
  • Psychiatry
  • Public Health
  • Radiology including NewRad (new joint venture w/ NY-PH ) and Subsidiaries
  • Rehabilitation Medicine
  • Reproductive Medicine and Infertility
  • Surgery
  • Urology

Financial Control Units

  • Controller's Office
  • SAP Financial Controls Review

Information Technology

  • Change Control and Change Management
  • Datamart Security
  • Electronic Medical Records (EMR)
  • EpicCare System
  • GE-CB (physician billing system) - Formerly IDX (Billing, AP, Scheduling),
  • HIPAA (Privacy and Security)
  • Identity Management
  • ITS General Controls
  • LDAP Active Directory
  • PCI Credit Card Compliance
  • Research and Sponsored Programs IT Systems Audit
  • SAP (Pre-Implementation Review)
  • Voice over IP (VoIP) Audit
  • Wireless Network

Institutional Concern

  • Animal Use in Research
  • Conflicts of Interest and Commitment
  • Email Security
  • Emergency Preparedness, Business Continuity and Disaster Recovery
  • Executive Travel
  • Gifts-Processing and Accounting
  • HIPAA Privacy and Security
  • Human Subject Use in Research
  • International Initiatives
  • Recharge and Service Center Rates
  • Supplementary Compensation
  • Time and Effort Reporting

Institutional Support

  • Academic Affairs
  • Public Affairs

Instruction & Academic Unit

  • Graduate School and Tri-Institutional Program

Research Centers

  • Research and Sponsored Programs

Service Units

  • Benefactor system
  • Environmental Compliance and Health & Safety
  • Facilities and Capital Planning
  • General Financial, IT Systems and Security Audit
  • MC Billing Compliance Audit (MD Audit)
  • Physicians Organization
  • Risk Management/MCIC

Back to Top