Institute Audit, Compliance & Advisement

Institute Audit, Compliance & Advisement promotes a strong internal control environment by objectively and independently assessing risks and controls; evaluating business processes for efficiency, effectiveness, and compliance; providing management advisory services; and offering training to the University community. We focus on preserving the resources of the University for use by our students as they prepare for successful careers in a global society.

Our Profession

To satisfy its objectives, IACA performs its services in accordance with the International Standards for the Professional Practice of Internal Auditing established by the Institute of Internal Auditors.

The IACA team's professional credentials include:

  • Certified Public Accountant (CPA)
  • Certified Fraud Examiner (CFE)
  • Certified Internal Auditor (CIA)
  • Certified Information Systems Auditor (CISA)
  • Certified in Risk Management Assurance (CRMA)
  • Certified Construction Auditor (CCA)

To keep current with industry developments, IACA team staff maintain memberships in the following professional organizations:


All IACA employees sign a Confidentiality Statement and Professional Code of Ethics annually. Given the nature of its work, IACA's internal audit charter provides the auditors with unrestricted access to all University records, plans, policies, procedures, properties, and personnel. All sensitive information is appropriately safeguarded and handled confidentially.

Our Services


IACA strives to be proactive in identifying opportunities for business process improvements and to facilitate training that improves internal controls; increases risk awareness and internal control accountability; reduces the likelihood of financial, operational, compliance and strategic exposure; and drives greater value from internal support processes.

Audit and Business Process Reviews

An IACA Annual Work Plan is developed and approved by the Risk and Audit Committee of the RIT Board of Trustees based on an assessment of risk across the University. There are three parts to an audit or business process review engagement: planning, fieldwork, and reporting. The RIT Audit Process

Planning:  Planning is conducted prior to the start of every engagement to assess specific risks of the business unit/process and to establish the preliminary scope and work plan.  During the planning phase, the engagement team meets with management to gain an understanding of the current business environment, including the following:

  • Organizational structure; roles
  • Related departments
  • Recent or expected department changes; major current initiatives
  • Known control weaknesses

Entrance Meeting:  The engagement team meets with management to discuss the engagement objectives, scope, and expectations.  During the meeting, key contacts are confirmed and timelines are established.

Fieldwork:  Initial meetings will be held with key contacts to identify and determine the level of risk associated with all significant activities within the business areas under review.  During fieldwork, the auditors will review and evaluate the internal controls in place.  This will be accomplished through review of process documentation, interviews, transaction testing, account analysis, data analysis, and other means as appropriate.  While every effort will be made to minimize disruption during fieldwork, we will need to request information and schedule time with key process participants.

If a control weakness is observed during fieldwork, the observation will be documented by the auditors along with an analysis of the associated risks.  Audit observations will be reviewed with responsible management for accuracy.

A formal report is prepared and shared with the engagement area's management, applicable RIT administration, and RIT's external auditors. The report includes an assessment of the internal control environment, a summary of the issues identified during the engagement, and management's corresponding corrective action plans. A summary of the engagement results is provided to the Audit Committee of the RIT Board of Trustees. 

Advisory observations may also be identified during an engagement; these would be items of lesser concern, but ones that may provide opportunities for enhancing controls, increasing efficiencies, or improving operations.  These items are shared only with the engagement area's management and do not require the development and implementation of management corrective action plans.

Training Opportunities

IACA believes that education and training are vital to a healthy control environment. Therefore, IACA staff provides training sessions on various topics to RIT employees throughout the year including Internal Controls and Fraud in the WorkplaceUnit-Level Risk Assessment and Basic Business Essentials for Department Heads, Chairs, and Deans.

Internal Controls and Fraud in the Workplace

All RIT employees need to be aware of the business risks in their area of responsibility. To help mitigate those business risks, each division, college, and department is responsible for establishing and maintaining effective business practices and internal controls. To assist the University in achieving its objectives, it is vital that a strong internal control environment exists in all aspects of the RIT Community. One result of weak or broken internal controls is Fraud. Occupational fraud can be found in any workplace. Whether an organization is a non-profit entity such as a university, or a large for-profit corporation, fraud has occurred and continues to occur. This combined topic class will provide you with the knowledge to understand how good internal controls can help prevent fraud from occurring in your area of responsibility. During this class, the importance of, components of, and the responsibility for establishing and maintaining effective internal controls will be discussed. Various examples of what can happen when controls are non-existent or broken (i.e., fraud) will be shared throughout the class.

This training session is part of the required classes for obtaining the Track I, Accounting Practices, Procedures and Protocols Certificate of Completion and is offered through RIT's Talent Development.

Unit-Level Risk Assessment

Traditionally, risk is often thought of as something to be avoided.  However, given that value is a function of risk and return, strategic-minded managers do not necessarily strive to eliminate risk or even to minimize it.  Rather, these managers seek to manage risk (both exposures and opportunities) across all parts of their organization so that, at any given time, they incur just enough of the right kind of risk to effectively pursue strategic goals.

The first step towards successfully managing risks is to implement an effective risk assessment methodology.  Risk assessment is a systematic process for identifying and evaluating both external and internal events (risks) that could affect the achievement of objectives, positively or negatively.  During this class, we will discuss the key components of an effective risk assessment process and how to integrate it into the business process to provide timely and relevant risk information to management.

Limited Scope Reviews

In addition to audits, business process reviews, and advisory services, IACA performs limited scope reviews, which engage department/process management in a series of financial, operational, and strategic questions pertinent to the area under review. This type of review is not an audit and does not include the performance of in-depth audit procedures, but rather is comprised primarily of inquiry as well as high-level observation and/or verification activities. 

Advisory Services

In addition to an audit or business process review, IACA can further assist management by providing a fresh perspective utilizing analytical and research skills. These advisory services may include:

  • Reviewing the reliability and integrity of financial and operating information, reports, and systems;
  • Determining whether operational results are consistent with established objectives and standards;
  • Reviewing the means for adequately safeguarding and verifying the existence of assets;
  • Reviewing the systems established to ensure compliance with policies, plans, procedures, laws, and regulations, and;
  • Working in a consultative role to improve and/or benchmark processes and controls.

Monday Minutes

Thank you for tuning in! The Monday Minute is currently on hiatus. However, we hope that you enjoy these previous episodes.

IACA Monday Minute


Mailing Address

Institute Audit, Compliance & Advisement
4 Lomb Memorial Drive, MS-W65
Rochester Institute of Technology
Rochester, NY 14623 - 5604



Staff Directory

Patrick Didas
Associate Vice President Institute Audit Compliance and Advisement
Nancy Nasca
Associate Director
Vernice Stefano
Assistant Director IT Audit
Jeffrey Butler
Senior Internal Auditor
Neeraj Sama
Senior Internal Auditor
Virginia Howe
Staff and Audit Assistant