Institute Audit, Compliance and Advisement Charter

Internal auditing at Rochester Institute of Technology (the “university”) is an independent and objective assurance and consulting activity designed to add value and improve the university’s operations.  Specifically, it helps the university accomplish its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.  The university’s internal auditing function is performed by the department of Institute Audit, Compliance and Advisement (“IACA”).

Institute Audit, Compliance and Advisement promotes a strong internal control environment by objectively and independently assessing risks and controls; evaluating business processes for efficiency, effectiveness, and compliance; providing management advisory services; and offering training to the university community.  We focus on preserving the resources of the university for use by our students as they prepare for successful careers in a global society.

IACA was established by the university to assist the Risk and Audit Committee of the Board of Trustees (the “Committee”) in the accomplishment of its objectives.  The Associate Vice President of IACA leads the department and is the university’s Chief Audit Executive (the “CAE”).  The CAE reports administratively to the Senior Vice President for Finance and Administration, and functionally to the Committee.  IACA is required to report regularly to the Committee regarding the status of the annual audit plan and university risk management systems which include strategic, financial, regulatory, reputational, and operational risks.  The Chief Audit Executive has a responsibility to communicate promptly and directly with the university’s President and the Committee if management efforts to identify and address critical risks are of concern.

The IACA staff shall govern themselves by adherence to The Institute of Internal Auditors' (the “IIA”) “International Professional Practices Framework (IPPF).”  The IIA’s mandatory guidance which includes “Core Principles for the Professional Practice of Internal Auditing,” “Definition of Internal Auditing,” ”Code of Ethics,” and “International Standards for the Professional Practice of Internal Auditing” (the Standards”) shall constitute the operating procedures for IACA.  The IIA’s recommended guidance will be adhered to as applicable.  In addition, IACA will adhere to the university’s policies, procedures and the IACA Department Manual.  The IACA Department Manual shall include attribute, performance, and implementation standards to guide IACA.

IACA is committed to meet the Standards, which includes employing highly competent auditors and maintaining a quality assessment review program.  

All internal audit activities shall remain free of influence by any element in the university, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of an independent and objective mental attitude necessary in rendering reports.  One exception to this statement is that the Senior Vice President for Finance and Administration can mandate that certain engagements be included in the internal audit work plan.

To maintain its independence, IACA and its professional staff may have had no direct responsibility or control over any of the activities they audit and review.  Accordingly, they shall not develop nor install systems or procedures, prepare records, or engage in any other activity, which would normally be audited.  However, IACA staff may perform advisory services without impairing their independence provided those services remain consultative and not operational in nature.  In fulfilling its role, IACA has full and complete access to all university records (manual and electronic), physical properties, personnel, and information provided by third parties relevant to its activities.  Documents and information given to IACA during an audit or review will be handled in the same prudent and confidential manner as by those employees normally accountable for them.  All university employees are requested to assist IACA in fulfilling their staff function.  IACA shall also have free and unrestricted access to the Committee.

The scope of IACA encompasses the examination and evaluation of the adequacy and effectiveness of the university’s governance, risk management process, and system of internal controls in carrying out assigned responsibilities to achieve the university’s stated goals, standards, and objectives.  It includes:

  • Reviewing the reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information.
  • Reviewing information governance to ensure that it supports the university’s strategies and objectives and appropriately safeguards data.
  • Reviewing the control activities established to ensure compliance with those policies, plans, procedures, laws, and regulations, which could have a significant impact on operations and reports and whether the organization is in compliance.
  • Reviewing the means of safeguarding assets (including information assets) and, as appropriate, verifying the existence and value of such assets.
  • Reviewing and appraising the economy and efficiency with which resources are employed.
  • Reviewing operations or programs to ascertain whether results are consistent with established standards, goals, and objectives and whether the operations or programs are being carried out as planned.
  • Reviewing specific operations at the request of the Committee or management, as appropriate.
  • Monitoring and evaluating the effectiveness of the university’s risk management system.
  • Sharing information and coordinating activities with other internal and external providers of assurance services to ensure proper coverage and minimize duplication of efforts.
  • Suggesting new or modified policies and procedures where appropriate.
  • Evaluating the potential for the occurrence of fraud and the adequacy of the processes in place to mitigate these risks and performing fraud investigations when necessary.
  • Participating on committees and in meetings for significant university initiatives to advise on exposure prevention.
  • Performing advisory engagements which have the potential to improve the management of risks, add value, and improve the university’s operations.
  • Performing follow-up activities to encourage resolution of identified concerns.
  • Monitoring an anonymous hotline (the RIT Ethics and Compliance Hotline) on behalf of the Committee.
  • Promote a culture of ethics, responsibility, and accountability within the university community by providing various regularly-scheduled trainings and communications.

Annually, the CAE shall submit to senior management and the Committee an audit plan.  The audit plan is to be developed based on a prioritization of the audit universe using a risk-based methodology, consistent with the university’s Enterprise Risk Management Program.  The Committee is responsible for approving IACA’s annual audit plan.  Any significant deviation from the formally approved audit plan shall be communicated to senior management and the Committee.

Written communications will be prepared and issued by the CAE following the conclusion of each engagement and distributed as appropriate.  Additionally, a summary of significant results for all audits, business process reviews, limited scope reviews, continuous auditing engagements, and fraud investigations will be provided to all members of the Committee, the President, the external auditors, the Senior Vice President for Finance and Administration, as well as the head of the respective division.

IACA and management shall be responsible for appropriate follow-up on all management corrective action plans.  All findings requiring management action will remain open until cleared by the CAE. 

An annual report of IACA’s activities summarizing the engagements completed and other IACA mission related activities will be prepared for the Committee.

IACA selects high quality professionals to staff its department.  All professional staff must possess certifications in public accounting, internal auditing, or information systems auditing, or be able to obtain one of these certifications within a reasonable time frame.  All IACA professional staff will participate in a continuing professional education program.  IACA also engages external professional service providers, as necessary, to increase the breadth and depth of skills available and to increase its flexibility to respond to the challenges of the university’s changing business risks.

The CAE shall periodically assess whether the purpose, authority, and responsibility, as defined in this charter, continue to be adequate to enable the internal auditing activity to accomplish its objectives.  The result of this periodic assessment should be communicated to senior management and the Board of Trustees via the Committee.

This Charter was adopted on March 24, 2023 via approved motion of the Risk and Audit Committee of the Board of Trustees.

Risk and Audit Committee of the RIT Board of Trustees Charter

To advise and support the administration relating to the integrity of the university’s financial statements, systems of internal control, performance of the university’s independent auditors and internal audit function, and qualifications and independence of the independent auditors. The committee will also advise and support the administration relating to the implementation of the board and officer conflict of interest policies, the university’s enterprise risk management, and legal and regulatory compliance programs.


2.1 The committee shall consist of not less than 7 and no more than 9 members (all of whom must be elected or ex officio trustees) appointed by the chair of the board and approved by the entire board of trustees. All members shall serve until their successors are appointed.

2.2 The chair of the board and the president of the university shall serve as ex officio, non-voting members.

2.3 Up to two emeritus or honorary trustees may serve as non-voting members.

2.4 Trustees with an actual conflict of interest shall not serve on this committee.

2.5 The committee shall have no relationship with the university that may interfere with the exercise of their independence from management and the university or the external auditors.

2.6 At least one committee member shall possess expertise regarding generally accepted accounting principles and financial statements as well as an understanding of internal controls and procedures for financial reporting. All other members shall possess some level of experience in financial matters.

2.7 The senior vice president for finance and administration and treasurer, and/or their designee, shall be non-voting administrative partner to the committee.

2.8 Non-voting members are not counted for purposes of establishing a quorum for meetings of the committee.

2.9 The chair of the committee may invite guests to attend and participate in meetings of the committee. Invited guests shall not vote or be counted for purposes of establishing a quorum for meetings and shall not participate in any committee executive sessions unless invited to do so by the chair.

3.1 The committee shall meet as frequently as it deems necessary to carry out its duties and responsibilities, or at least 3 times per year.

3.2 A majority of the elected and ex officio voting trustees appointed to the committee, or a minimum of 3, whichever is greater, shall constitute a quorum for a meeting.

3.3 The vote of a majority of voting members present at the time of the vote shall be the act of the committee.

3.4 Committees shall conduct meetings in accordance with this committee charter, and, except as otherwise provided in the bylaws, at the time, place, and manner determined by the chair of the committee.

3.5 The chair, in collaboration with the administration partner, shall be responsible for establishing the agendas for meetings. An agenda, together with relevant materials, shall be sent to committee members at least 7 calendar days in advance of the committee meeting.

3.6 Minutes for all meetings shall be drafted by the administration partner, reviewed by the chair of the committee, approved by committee members at the following meeting, and submitted to the secretary of the university as official board records.

3.7 The minutes of the meeting shall contain, as attachments, any materials discussed by and/or presented to the committee members.

3.8 The chair of the committee shall report on the work of the committee annually at the spring meeting of the entire board of trustees, with reporting at additional meetings where appropriate.


4.1 The committee shall have the authority to:

    4.1.1 Periodically appraise the internal control and accounting systems of the university and recommend any appropriate changes; provide high-level oversight of the university’s compliance with applicable laws and regulations; annually report to the full board of trustees the committee’s activities.

    4.1.2 Perform the oversight tasks as delineated in the risk and audit committee procedures document. The procedures will be reviewed and updated as necessary.

    4.1.3 Approve the university’s external auditors, taking into account the recommendation of the senior vice president for finance & administration and pre-approve external auditor's plans and fees for all audit and significant non-audit services (if any).

    4.1.4 Review the university’s audited financial statements annually and recommend to full board for approval.

    4.1.5 Appoint or remove the associate vice president, Institute audit, compliance & advisement in consultation with the senior vice president for finance & administration.

    4.1.6 Review the effectiveness of the university’s process for identifying and managing enterprise risks, trustee, officer, and designated employee conflicts, and monitoring compliance with laws and regulations. Approve the university’s risk map.

    4.1.7 To effectively perform its functions, the committee may request access to all university persons, records and facilities for this purpose.

    4.1.8 Shall provide an annual report to the board on the university’s audited financial statements.

    4.1.9 Execute other duties as delegated by the board.

4.2 The committee shall not have the authority to:

    4.2.1 Grant degrees.

    4.2.2 Fill vacancies on the board or on any committee.

    4.2.3 Sell all or substantially all of the assets of RIT.

    4.2.4 Amend, repeal, or adopt new bylaws or committee charters.

    4.2.5 Amend or repeal any resolution of the board which, by its terms, shall not be so amendable or repealable.

    4.2.6 Remove any trustee or officer from office.

The committee may establish ad hoc subcommittees through which it conducts it activities. Ad hoc subcommittees shall make recommendations for consideration by the committee. Ad hoc subcommittees shall not have the authority act on behalf of the committee or the board.

Membership on ad hoc subcommittees shall be limited to members of the committee establishing the subcommittee.

This charter shall be reviewed and reassessed by the committee annually, and any proposed changes, beyond editorial edits, shall be submitted to the entire board for approval.

Charter Adopted/Approved by the RIT Board of Trustees on November 10, 2022