Institute Audit, Compliance & Advisement promotes a strong internal control environment by objectively and independently assessing risks and controls; evaluating business processes for efficiency, effectiveness, and compliance; providing management advisory services; and offering training to the University community. We focus on preserving the resources of the University for use by our students as they prepare for successful careers in a global society.
All IACA employees sign a Confidentiality Statement and Professional Code of Ethics annually. Given the nature of its work, IACA's internal audit charter provides the auditors with unrestricted access to all University records, plans, policies, procedures, properties, and personnel. All sensitive information is appropriately safeguarded and handled confidentially.
IACA strives to be proactive in identifying opportunities for business process improvements and to facilitate training that improves internal controls; increases risk awareness and internal control accountability; reduces the likelihood of financial, operational, compliance and strategic exposure; and drives greater value from internal support processes.
Audit and Business Process Reviews
An IACA Annual Work Plan is developed and approved by the Audit Committee of the RIT Board of Trustees based on an assessment of risk across the University. There are three parts to an audit or business process review engagement: planning, fieldwork, and reporting. The RIT Audit Process
Planning: Planning is conducted prior to the start of every engagement to assess specific risks of the business unit/process and to establish the preliminary scope and work plan. During the planning phase, the engagement team meets with management to gain an understanding of the current business environment, including the following:
Organizational structure; roles
Recent or expected department changes; major current initiatives
Known control weaknesses
Entrance Meeting: The engagement team meets with management to discuss the engagement objectives, scope, and expectations. During the meeting, key contacts are confirmed and timelines are established.
Fieldwork: Initial meetings will be held with key contacts to identify and determine the level of risk associated with all significant activities within the business areas under review. During fieldwork, the auditors will review and evaluate the internal controls in place. This will be accomplished through review of process documentation, interviews, transaction testing, account analysis, data analysis, and other means as appropriate. While every effort will be made to minimize disruption during fieldwork, we will need to request information and schedule time with key process participants.
If a control weakness is observed during fieldwork, the observation will be documented by the auditors along with an analysis of the associated risks. Audit observations will be reviewed with responsible management for accuracy.
A formal report is prepared and shared with the engagement area's management, applicable RIT administration, and RIT's external auditors. The report includes an assessment of the internal control environment, a summary of the issues identified during the engagement, and management's corresponding corrective action plans. A summary of the engagement results is provided to the Audit Committee of the RIT Board of Trustees.
Advisory observations may also be identified during an engagement; these would be items of lesser concern, but ones that may provide opportunities for enhancing controls, increasing efficiencies, or improving operations. These items are shared only with the engagement area's management and do not require the development and implementation of management corrective action plans.
All RIT employees need to be aware of the business risks in their area of responsibility. To help mitigate those business risks, each division, college, and department is responsible for establishing and maintaining effective business practices and internal controls. To assist the University in achieving its objectives, it is vital that a strong internal control environment exists in all aspects of the RIT Community. One result of weak or broken internal controls is Fraud. Occupational fraud can be found in any workplace. Whether an organization is a non-profit entity such as a university, or a large for-profit corporation, fraud has occurred and continues to occur. This combined topic class will provide you with the knowledge to understand how good internal controls can help prevent fraud from occurring in your area of responsibility. During this class, the importance of, components of, and the responsibility for establishing and maintaining effective internal controls will be discussed. Various examples of what can happen when controls are non-existent or broken (i.e., fraud) will be shared throughout the class.
Traditionally, risk is often thought of as something to be avoided. However, given that value is a function of risk and return, strategic-minded managers do not necessarily strive to eliminate risk or even to minimize it. Rather, these managers seek to manage risk (both exposures and opportunities) across all parts of their organization so that, at any given time, they incur just enough of the right kind of risk to effectively pursue strategic goals.
The first step towards successfully managing risks is to implement an effective risk assessment methodology. Risk assessment is a systematic process for identifying and evaluating both external and internal events (risks) that could affect the achievement of objectives, positively or negatively. During this class, we will discuss the key components of an effective risk assessment process and how to integrate it into the business process to provide timely and relevant risk information to management.
Limited Scope Reviews
In addition to audits, business process reviews, and advisory services, IACA performs limited scope reviews, which engage department/process management in a series of financial, operational, and strategic questions pertinent to the area under review. This type of review is not an audit and does not include the performance of in-depth audit procedures, but rather is comprised primarily of inquiry as well as high-level observation and/or verification activities.
In addition to an audit or business process review, IACA can further assist management by providing a fresh perspective utilizing analytical and research skills. These advisory services may include:
Reviewing the reliability and integrity of financial and operating information, reports, and systems;
Determining whether operational results are consistent with established objectives and standards;
Reviewing the means for adequately safeguarding and verifying the existence of assets;
Reviewing the systems established to ensure compliance with policies, plans, procedures, laws, and regulations, and;
Working in a consultative role to improve and/or benchmark processes and controls.
Quaestor Quarterly Newsletters
We hope that you find the Quaestor Newsletter beneficial!