Internal auditing at Rochester Institute of Technology (the “university”) is an independent and objective assurance and consulting activity designed to add value and improve the university’s operations. Specifically, it helps the university accomplish its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The university’s internal auditing function is performed by the department of Institute Audit, Compliance & Advisement (“IACA”).
Institute Audit, Compliance & Advisement promotes a strong internal control environment by objectively and independently assessing risks and controls; evaluating business processes for efficiency, effectiveness, and compliance; providing management advisory services; and offering training to the University community. We focus on preserving the resources of the University for use by our students as they prepare for successful careers in a global society.
IACA was established by the university to assist the Audit Committee of the Board of Trustees (the “Committee”) in the accomplishment of its objectives as described in the Audit Committee Charter. The Assistant Vice President of IACA leads the department and is the university’s Chief Audit Executive (the “CAE”). The CAE reports administratively to the Senior Vice President for Finance and Administration, and functionally to the Committee. IACA is required to report regularly to the Committee regarding the status of the annual audit plan and university risk management systems which include strategic, financial, regulatory, reputational, and operational risks. The Chief Audit Executive has a responsibility to communicate promptly and directly with the university’s President and the Committee if management efforts to identify and address critical risks are of concern.
The IACA staff shall govern themselves by adherence to The Institute of Internal Auditors' (the “IIA”) “Code of Ethics.” The IIA’s “International Standards for the Professional Practice of Internal Auditing” (the “Standards”) shall constitute the operating procedures for IACA. The IIA’s “Practice Advisories” will be adhered to as applicable. In addition, IACA will adhere to the university’s policies, procedures and the IACA Department Manual. The IACA Department Manual shall include attribute, performance, and implementation standards to guide IACA.
IACA is committed to meet the Standards, which includes employing highly competent auditors and maintaining a quality assessment review program. The Committee reviews professional credentials and achievement of annual training and quality goals.
All internal audit activities shall remain free of influence by any element in the university, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of an independent and objective mental attitude necessary in rendering reports. One exception to this statement is that the Senior Vice President for Finance and Administration can mandate that certain engagements be included in the internal audit work plan.
To maintain its independence, IACA and its professional staff may have had no direct responsibility or control over any of the activities they audit and review. Accordingly, they shall not develop nor install systems or procedures, prepare records, or engage in any other activity, which would normally be audited. However, IACA staff may perform advisory services without impairing their independence provided those services remain consultative and not operational in nature. In fulfilling its role, IACA has full and complete access to all university records (manual and electronic), physical properties, personnel, and information provided by third parties relevant to its activities. Documents and information given to IACA during an audit or review will be handled in the same prudent and confidential manner as by those employees normally accountable for them. All university employees are requested to assist IACA in fulfilling their staff function. IACA shall also have free and unrestricted access to the Committee.
The scope of IACA encompasses the examination and evaluation of the adequacy and effectiveness of the university’s governance, risk management process, and system of internal controls in carrying out assigned responsibilities to achieve the university’s stated goals, standards, and objectives. It includes:
Reviewing the reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information.
Reviewing the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations, which could have a significant impact on operations and reports and whether the organization is in compliance.
Reviewing the means of safeguarding assets and, as appropriate, verifying the existence and value of such assets.
Reviewing and appraising the economy and efficiency with which resources are employed.
Reviewing operations or programs to ascertain whether results are consistent with established standards, goals, and objectives and whether the operations or programs are being carried out as planned.
Reviewing specific operations at the request of the Audit Committee or management, as appropriate.
Monitoring and evaluating the effectiveness of the university’s risk management system.
Reviewing the degree of coordination between external auditors and internal audit.
Reviewing the internal control statement made by senior management and the related opinion by the attest auditor for audit planning.
Suggesting new or modified policies and procedures where appropriate.
Compiling information related to irregularities and investigations.
Participating on committees and in meetings for significant university initiatives to advise on exposure prevention.
Performing follow-up activities to encourage resolution of identified concerns.
Monitoring an anonymous hotline (the RIT Ethics and Compliance Hotline) on behalf of the Audit Committee.
Perform monitoring of university compliance activities in collaboration with RIT’s Chief Compliance and Ethics Officer.
Promote a culture of ethics, responsibility, and accountability within the university community by providing various regularly-scheduled trainings and communications.
Annually, the CAE shall submit to senior management and the Committee a summary of the audit work schedule, staffing plan, and hours budget for the following fiscal year. The audit work schedule is to be developed based on a prioritization of the audit universe using a risk-based methodology. The Committee is responsible for approving IACA’s annual audit plan. Any significant deviation from the formally approved work schedule shall be communicated to senior management and the Committee through periodic activity reports.
IACA performs audits, business process reviews, limited scope reviews, continuous auditing, advisory engagements, and fraud investigations.
Written communications will be prepared and issued by the CAE or designee following the conclusion of each engagement performed by IACA and distributed as appropriate. Additionally, a summary of results for all audits, business process reviews, limited scope reviews, continuous auditing engagements, and fraud investigations will be provided to all members of the Committee, the President, and the Senior Vice President for Finance and Administration.
The CAE or designee may include in IACA published reports Management’s response and corrective action taken, or to be taken, in regard to the specific findings. Management’s response should include a timetable for anticipated completion of the action to be taken or rationale for accepting a risk and not implementing a corrective action.
IACA shall be responsible for appropriate follow-up on all management corrective action plans. All findings requiring management action will remain open until cleared by the CAE.
IACA selects high quality professionals to staff its department. All professional staff must possess certifications in public accounting, internal auditing, or information systems auditing, or be able to obtain one of these certifications within a reasonable time frame. All IACA professional staff will participate in a continuing professional education program. IACA also engages external professional service providers, as necessary, to increase the breadth and depth of skills available and to increase its flexibility to respond to the challenges of the university’s changing business risks.
The CAE should periodically assess whether the purpose, authority, and responsibility, as defined in this charter, continue to be adequate to enable the internal auditing activity to accomplish its objectives. The result of this periodic assessment should be communicated to senior management and the Board of Trustees via the Committee.
The Bylaws of the Rochester Institute of Technology (the "university"), Article XVI, Section 2, delegate to the Audit Committee of the Board of Trustees (the "Committee") authority "to periodically appraise the internal control and accounting systems of the Institute." By adopting this Audit Committee Charter, the Board of Trustees (the "Board") makes more specific the charge it gives to the Committee.
By virtue of its delegated authority, the Committee is charged to assist the Board in fulfilling its responsibility to oversee Administrative Management's ("Management") conduct of the university’s system of internal control, reporting and accounting systems, which includes overview of the financial statements and other financial information provided by the university and its subsidiaries to any governmental or regulatory body, the public, financial institutions and the university’s internal community. The Committee is charged to recommend to the Board and engage upon Board approval, the independent auditors for the university annually and to give oversight to the annual independent audit of the university’s financial statements. The Committee is also charged to oversee the general compliance of the university with applicable laws and regulations, and policies and procedures established by the Board.
Access to Information
The Committee may request any independent auditor, expert, officer, trustee, agent or employee of the university to appear before it to report on the financial condition of the university or any other aspect of the university’s operation and answer any questions the Committee might have. The Committee has full access to all records and facilities for this purpose.
The role and responsibility of the Committee is oversight. Management is responsible for preparing the financial statements, governmental and other reports of the university, for operating the university, including its financial systems, and for assuring compliance with applicable laws and regulations and with policies and procedures approved by the Board. The internal auditors have responsibility for the examination and evaluation of the adequacy and effectiveness of the university’s governance, risk management process and system of internal controls in carrying out assigned responsibilities to achieve the university’s stated goals, standards, and objectives. The external auditors are responsible for auditing the university’s financial statements and such other functions as they are specifically approved and engaged to audit by the Committee.
Reliance on Management, Auditor, and Advisory Information
It is recognized that Management, the internal auditors, and the external auditors have more time, knowledge and detailed information about the university than the volunteer members of the Committee. Consequently, in carrying out its oversight function, the Committee is not providing expert or special assurance as to the university’s financial statements or professional certification as to the work of the university’s staff or of the outside auditors. In discharging their duties, the members of the Committee may rely on information, opinions, reports or statements, including financial statements or other financial data, prepared or presented by officers, employees, internal or external counsel, public accountants, committees of the Board duly designated with authority in particular areas, or other persons whom the members believe are reliable and competent in the matters presented, provided that in so relying the member is acting in good faith and with that degree of diligence, care and skill which ordinarily prudent audit committee members would exercise under similar circumstances. The Chief Audit Executive is charged with presenting all significant control deficiencies and material weaknesses to the Committee including expedient contact with the Committee Chair when such deficiencies and weaknesses have not been satisfactorily resolved by university management.
The following functions are appropriate common recurring activities of the Committee in carrying out its oversight function. These functions are set forth as a guide with the understanding that the Committee may diverge from this guide as appropriate under the circumstances.
A. External Audit
1. Select, recommend to the Board, and engage upon Board approval, the university’s external auditors taking into account the recommendation of the Senior Vice President for Finance and Administration and pre-approve external auditor's plans and fees for all audit and significant non-audit services.
2. Review reports of external auditors.
3. On a regular basis, meet separately with the external auditors to discuss any matters that the Committee or auditors believe should be discussed privately.
4. Evaluate the performance of the external auditors.
5. Review and confirm the independence of the external auditors for the performance of both audit and non-audit services.
6. Evaluate the report of the external auditors regarding the results of the annual audit including, but not limited to:
a) The audited financial statements and management letter recommendations and Management's responses thereto.
b) The adequacy of the university’s system of internal controls.
c) Management and Internal Audit’s cooperation with the external auditors.
d) The adequacy of the university’s accounting policies and practices, including the level of compliance with governmental regulations and with recent professional pronouncements and their impact on the financial statements.
B. Internal Audit
1. Review annually and recommend and approve changes to the Internal Audit Department Charter.
2. Review and concur in the appointment or removal of the Chief Audit Executive as recommended by the Senior Vice President for Finance & Administration.
3. Review and evaluate:
a) Organization and reporting structure of the Internal Audit Department, including the independence of the Chief Audit Executive, staff, and internal audit service vendors.
b) Significant deficiencies or material weaknesses from compliance audits, special investigations and projects.
c) Scope of audit coverage and coordination with external auditors.
d) Implementation and status of annual audit plan.
e) Budget allocations for the internal audit function.
f) Professional credentials and continuing education of the Chief Audit Executive and staff.
4. Request special investigations, projects, and evaluation of audit services.
5. On a regular basis, meet separately with the Chief Audit Executive to discuss any matters that the committee or Internal Audit believes should be discussed privately.
C. Financial Management
1. Review and approve implementation of significant new or modified accounting policies.
2. Review and approve significant estimates and/or assumptions utilized in financial statement preparation.
3. Review and evaluate the extent to which Management has implemented recommendations made by external and internal auditors.
4. Review results of consultants engaged for specific purposes.
D. Other Functions of the Audit Committee
1. Periodically review and evaluate the adequacy of the university’s oversight of its subsidiaries.
2. Periodically review and evaluate the adequacy of the university’s risk management program, including its controls to prevent fraud or other misconduct.
3. Periodically review and evaluate the results of the university’s Compliance Program to ensure compliance with regulatory reporting requirements of governmental authorities, including timely submission of required reports and review the results of Management's follow-up of any instances of non-compliance.
4. Periodically review and evaluate the adequacy of the university’s risk mitigation activities pertaining to cybersecurity risks facing the university.
5. Review the results of compliance audits or examinations conducted by governmental authorities.
6. Initiate special investigations and seek the advice of internal or external university legal counsel as deemed necessary or appropriate.
7. Provide advice and counsel to the President, Senior Vice President for Finance and Administration, and the Chief Audit Executive.
8. Perform such specific oversight functions as expressly requested by the Board.
9. Review the Audit Committee Charter with the Chief Audit Executive annually and update as necessary.
10. Confirm annually that all Audit Committee Charter responsibilities have been carried out.
11. The Committee will review annually the close-out and completion of all construction project related-party transactions previously approved by the Board's Conflict of Interest Committee. Related-party transactions are not limited to, but shall include, transactions between the university and Board members, Management, or employees of the university.
12. The Committee shall review summary RIT hotline report information in connection with the operation of the university’s "Ethics and Compliance Hotline."
The Committee shall be composed of not less than seven Trustees who have no relationship with the university that may interfere with the exercise of their independence from Management and the university or the external auditors and who will be appointed by the Chair of the Board and approved by the Board at its annual meeting to serve for a term of one year, or until their successors shall have been appointed. The Chair of the Board, the Vice Chair of the Board, and the President shall not be members of the Committee, but may, upon invitation of the Committee, attend any meeting. The Senior Vice President for Finance and Administration shall not be a member of the Committee, but shall be invited to all meetings at the discretion of the Chair of the Committee. The Chief Audit Executive will act as staff of the Committee to provide university information to assist the Committee in fulfilling their responsibilities.
Appointments, Terms, Meeting Frequency, and Financial Literacy
The Chair of the Board shall appoint the Chair of the Committee. The Chair of the Committee will be approved by the Board at its annual meeting to serve for a term of one year, or until his or her successor has been appointed. The Committee shall meet at such times and places upon such notice as it may determine, at least twice per year. All Committee members shall be financially literate (or shall become financially literate within a reasonable period of time after appointment to the Committee), and at least one member shall have accounting or related financial management expertise and one member have related information technology management expertise, when possible. The Chair of the Committee and the Chief Audit Executive will ensure that Committee members are provided with a proper Committee orientation.
Private and Executive Sessions
A private session of the Committee may be held at the conclusion of general meetings of the Committee, with the Chief Audit Executive, the external auditors, General Counsel or such others as the Committee may request to discuss privately any concerns or issues not appropriate for discussion with all participants present at the general meeting. Each private session shall be attended only by the members of the Committee and the individual(s) requested to attend the private session. An executive session may be held at the conclusion of all meetings of the Committee, attended by only the members of the Committee in order to offer Committee members the opportunity to reflect privately on any concerns or issues raised in the meeting.
Committee meeting minutes shall be prepared and distributed to all Committee members. A copy of the minutes shall be sent to the Secretary of the Institute to be kept with the official minutes of Board committees. A report of each Committee meeting may be presented at the next succeeding meeting of the Board during its executive session with the President, as determined by the Chair of the Committee.
Charter Approved by the Executive Committee of the RIT Board of Trustees June 8, 2015.
Edits incorporating the Committee’s oversight of cybersecurity risks activities were approved by the Audit Committee on March 4, 2021.