When Colin Powell said “you don't know what you can get away with until you try," the faces of auditors everywhere turned to stone. The statement, while out of context, could be the ultimate role reversal. The “catch me if you can” and “what’s the worst that can happen” attitude exists at some level in all organizations.
While an audit is rarely considered appealing by those being audited, new internal controls expectations have brought all stakeholders to the table to share responsibility and move forward.
Thankfully, the apprehension surrounding a visit by the internal audit department has dissipated at RIT. In fact, an internal audit function has existed here for decades. The former Business Process & Audit Department (BP&A) has been repositioned and renamed Institute Audit, Compliance & Advisement (IACA). With a fuller and expanded mission, “the advisement and education that we provide are critical components of our campus service plan,” states Steven Morse, Executive Director. “We’re the quiet and dynamic group of professionals operating behind the scenes assisting management. This collaboration is essential for RIT to run effectively.” Often when things go awry, it’s not intentional, but rather a lack of awareness. Partnering with the campus community to avoid issues and realize compliance is a primary focus of IACA.
A few years back, questionable accounting practices and outright fraudulent activities in corporate America caused Congress to pass the Sarbanes-Oxley Act of 2002 (SOX). This legislation provides standards for auditing and attestation, quality control, ethics, independence, and the protection of the public interest. The basic implications provide for the oversight of audits and external auditors of public companies, and sanctions both public accounting firms and corporate individuals, such as chief executive and chief financial officers, for violation of laws, regulations, and accounting rules. It also provides for criminal penalties including hefty fines and jail time for corporate executive officers, and protection for issues related to employee whistle blowers. While the legislation doesn’t apply to higher education, the issues are universal and RIT has decided to implement elements of SOX appropriate to the Institute.
Further, IACA partners with the Institute’s external auditors, PricewaterhouseCoopers (PWC), to ensure that RIT obtains comprehensive audit coverage year after year. PWC audits the Institute’s annual financial statements and processes that provide this financial data. IACA’s scope of work covers the broader spectrum of all RIT operations.
To develop a meaningful and risk-based audit plan, IACA performs an interactive risk assessment that is qualitative, quantitative, and campus-wide to ensure the identification of potential areas of risk. This assessment takes into account financial, operational, strategic, regulatory, and reputational risks. Once complete, the annual risk assessment becomes the foundation from which IACA develops its comprehensive risk-based annual audit plan. The annual IACA audit plan, which includes audit, business process review, questionnaire review, and continuous auditing engagements, is approved by the Audit Committee of the RIT Board of Trustees.
On a typical day, IACA staff can be found working on any number of the engagements identified above, as well as performing a fraud investigation, advising management, or providing training on internal controls. This variety of activities is a result of IACA’s university-wide responsibilities.
“RIT is a dynamic and growing institution,” says Dr. James Watters, Sr. Vice President for Finance and Administration. “As we grow, RIT depends on Steve and his staff to make sure that new processes are functioning as intended, and that appropriate internal controls are in place to safeguard Institute assets.” Since maintaining well functioning internal controls is critical to the financial and operational health of any department, division, or organization, IACA provides its C.A.R.E.S. internal controls training to Institute managers and employees from all disciplines across campus.
“Ideally, IACA would like to be at the table with managers to review new procedures or processes prior to implementation,” states Morse. “Since IACA staff are independent of campus operations, we are able to provide objective and thoughtful insight to management so that appropriate controls are put in place or modified as necessary. At the end of the day, IACA’s primary charge is to promote effective internal controls.”
Definition of Occupational Fraud: The use of one’s occupation for personal enrichment through deliberate misuse or misapplication of the employing organization’s resources or assets.
Hot Topics ~ Preventing Identity Theft
Contributed by: Carole Miller
Would you leave your house key with a stranger? Would you leave town for a week with the doors to your home unlocked? Most of us would answer no to these questions, but in reality this is essentially what many of us are doing when we fail to guard our personal information.
The internet is swarming with criminal opportunists just waiting to gain access to your money, intellectual property, or personal identity information. Identity theft, no longer just an obscure crime of the 21st century, has recently become as familiar to most Americans as Acid Rain or Global Warming. In 2004, more than ¼ million people filed complaints with the Federal Trade Commission for identity crimes. The real number of those suffering from ID Theft in the 12 months of 2003 was 7 million according to a Harris Interactive poll. This contemporary hazard, if not dealt with, could cause near irreparable damage, and cost you money. The average cost to victims of identity crimes ranges between $1,000 and $5,000. Public service messages are running concurrently with McDonald’s commercials to get the point across. This is no longer a problem that “happens to somebody else.” People worldwide must be educated on how to avoid identity theft and what steps to take if faced with the situation. A few simple steps performed routinely could circumvent the devastating consequences of having your identity stolen. A few of the measures you could take are:
Place passwords on your credit card, bank, and phone accounts. Use passwords that contain information not easily accessible to others.
Secure all personal information in your home, especially if you have roommates or employ outside help.
Don’t give out personal information on the phone, through the mail, or online unless you have initiated the contact or know who you are dealing with.
Keep an eye on your mail. Remove it from your mailbox promptly and deposit outgoing mail to a Post Office or USPS collection box rather than an unsecured mailbox.
Tear or shred charge receipts, copies of credit applications, insurance forms, physician statements, checks and bank statements, expired charge cards, and credit offers received through the mail.
Do not give out your social security number unless absolutely necessary. Don’t carry your Social Security number card with you; leave it in a secure place.
Controls over Employee Business Expense Reimbursement
Contributed by: Controller’s Office
One of the key controls in place to ensure that business expense reimbursements are appropriate and also satisfy IRS “accountable plan” requirements (i.e., exempt from FICA and income tax withholding) is information provided by employees about the “business purpose or connection” of the expenditure.
Since qualified business reimbursements must be for expenses incurred in connection with performance of services as an employee, we ask employees to describe the business connection including information about “who,” “what,” “where” and “when” on each reimbursement request. Accounts Payable staff review this information for reasonableness and when it’s missing, or when additional information about the business connection is required, the reimbursement may be delayed. If you have questions about this important control or other controls that are in place over the employee business expense reimbursement process, contact the Accounts Payable Office at extension 5-2372 or 5-7221.