The Quaestor - Volume 13, Issue 3

Anatomy of an Internal Audit

Contributed by: Jeffrey W. Butler, Senior Internal Auditor, Institute Audit, Compliance & Advisement,

According to Merriam-Webster’s Dictionary, one definition of Audit (noun) is a “methodical examination and review.” Although concise, the definition boils an audit down to only four words, but an audit is so much more. So let’s dissect an internal audit as conducted by IACA.

Before we get to that though, it’s important to understand that there are numerous types of audits and auditors. Notable types of audits (and common types of auditors) include, but are not limited to, Tax Audits (Internal Revenue Service Auditors), Financial Statement Audits (Independent External Auditors), Governmental Audits (Government Auditors, such as Department of Labor and Environmental Protection Agency Auditors), Compliance Audits (various types of auditors), IT Audits (External or Internal Auditors), and Operational Audits (generally, Internal Auditors).

Even though there are different types of audits and different types of auditors, the one thing all audits do have in common is an audit process: Planning, Fieldwork, Reporting, and Monitoring of Corrective Actions.


Planning is conducted before the start of every audit and is the most important part of the engagement. The planning phase is important because it is when the auditors obtain an understanding of the process/operation being reviewed and the associated risks. It is also when the auditor creates the scope and work plan for the entire audit.

Auditors spend time during this phase researching the process/operation being audited, which includes learning about the nature of the services and products provided, the industry, the history of the area, the management structure, and the objectives of the area. After obtaining a general understanding, the auditor will create a preliminary scope focusing on the higher risk areas of the operation.

Then it’s time to meet with the management of the area being audited (aka the Planning Meeting). Although certain scope areas will have been identified prior to the meeting, changes often happen at this meeting, since no amount of independent research can substitute for the knowledge management has about their own operational risks; therefore, this meeting is an opportunity for management to discuss any known control weaknesses with the auditor, indicate areas that they would like to be considered for inclusion in the audit scope, and provide information relative to the preliminary scope areas (this additional information might result in a scope area being removed if the audit team decides that the associated risk is low). Taking into consideration all of the information gathered during this phase, the audit team determines a final audit scope and fieldwork commences.


During the fieldwork phase, the majority of the test work happens. The auditor will usually begin the initial meetings with key contacts identified during the Planning Meeting and then meet with others including the key process owners that are knowledgeable about and/or responsible for the various aspects of the process being audited.

Through these meetings, the auditor will identify and determine the level of risk associated with all significant activities within the business areas under review. The auditor will then evaluate the adequacy of the internal controls in place to mitigate the risks identified through additional inquiry, transaction testing, and review of supporting documentation. IACA does our best to obtain support and perform testing back at our own offices, but it is often necessary to request additional support and discuss situational issues as they arise. If a potential control weakness (i.e., the processes in place may not adequately mitigate the risks identified) is observed during fieldwork, the auditor will identify the risks associated with the observation, and discuss it with the management of the area audited to verify the completeness and accuracy of the information supporting the observation.

Observations can vary from low risk (e.g., inefficiencies in a process) to high risk (e.g., non -compliance with federal regulations); and are assigned into one or more of five risk categories: Strategic, Financial, Regulatory (aka Compliance and Legal), Reputational, or Operational. The definitions of each are below:

Strategic – an event that would prevent the department/university from accomplishing its objectives Financial – an event that could result in a negative financial impact to the university

Regulatory (aka Compliance and Legal) – an event that could expose the university to fines and penalties from a regulatory agency due to non-compliance with laws and regulations

Reputational – an event that could expose the university to negative publicity

Operational – an event that could prevent the department from operating in the most effective and efficient manner possible or be disruptive to other university operations

Once all of the testing is complete, the observations have been identified, and the auditor has confirmed their understanding with the management of the area being audited, the auditor will meet with IACA management to discuss the risks associated with each observation, which will determine how the observations will be reported. Then, we transition to the reporting-writing phase.


Three reports are created: Executive Summary, Detailed Observations report, and Advisory Observations report.

The Executive Summary summarizes the medium/high risk observations made during the review.

The Detailed Observations report includes medium/high risks observations, the associated risks, and recommendations for mitigating the observed risk. All observations included in this report require a management action plan and an estimated date of implementation. Although recommendations will be provided to management, management may choose a different course of action, as long as the risks are mitigated.

The Advisory Observations report includes issues of lesser concern (i.e., low risk) that were identified during the engagement, and generally present opportunities to enhance controls, increase efficiencies, and/or improve operations.

These three reports will be delivered to management at what we call an Issue Review Meeting. After management provides the auditor with a course of action which mitigates the risks included in the Detailed Observations report, the reports will be issued.

Monitoring of Corrective Actions/Follow-up

This is the final phase of an audit, but no less important. If there were reported gaps in controls observed during the audit and identified in the Detailed Observations report, IACA will perform follow-up procedures after the last estimated implementation date. During this process, IACA does not perform a whole new audit; however, we do perform procedures to ensure that action has been taken to mitigate the gaps in controls identified during the audit. Similar to an audit, our techniques for accomplishing this include inquiry, observation, and limited transaction testing.

And that’s it… from beginning to end how an internal audit, conducted by IACA, is performed.

Inform RIT

Contributed by: Ben Woelk, Program Manager, RIT Information Security Office,

Inform RIT is a recurring column provided by the RIT Information Security Office. The column highlights current issues and initiatives that impact the RIT community. In this issue, we’ll talk about securing IoT (Internet of Things) devices. This article is adapted from awareness resources created for the EDUCAUSE Campus Security Awareness Campaign 2018. Thank you to Petr Brym for creating the initial content.

Safe Online Shopping
The holiday season is the perfect time for cybercriminals to take advantage of unsuspected online shoppers. Precautions need to be taken when shopping online in order to prevent your valuable information from being stolen. Include the following precautions in your regular online shopping habits to better protect your purchases and personal information.

Lock Down Your Login
Perhaps the most important action you can perform in preparing for the online shopping season is to fortify your online accounts. Today, only using a username and password is not enough to protect key accounts such as e- mail, banking, and social media. Ensure you are using two-factor authentication and unique one-time codes with an application when available.

Keep Your Devices Clean
Before starting your online shopping spree, verify that all of your online devices are free from known vulnerabilities by only running the most current versions of the software and applications. This covers a range of devices such as laptops, mobile phones, and tablets that you should be updating for your online safety.

Shop on Reliable Websites
When purchasing gifts online, ensure you are using the websites of retailers that you trust. When using a new website for purchasing a product, read reviews and see what customers are saying about their experiences. Verify that the site uses encryption for data in motion by checking if the URL contains “HTTPS” (noted by the green lock in the address bar). Without it, your credit card information and other personal information has a greater chance of being compromised.

Protect your Personal Information
Be alert to the kinds of information being collected to complete a transaction online. Only complete what is required by the vendor to complete the purchase. If the website is asking for unnecessary personal data like social security numbers or a driver’s license, question the integrity and security of the organization to decide whether that product is worth the risk.

Use a Secure Payment Method
Credit cards are one of the safest options when submitting online payments because of the federal laws in place to protect your liability against credit card fraud. Be wary of anyone who insists upon cash or wire transfers only.

Extra Tip: Want to take it one step further? Find out if your bank or credit card issuer offers one-time use card numbers!

Monitor Your Accounts
Make sure to keep track of all your purchases and account histories. Print out orders, receipts, email confirmations, and product descriptions to keep on hand if anything goes awry. Follow up purchases by monitoring your bank account and credit card statements to ensure unauthorized transactions don’t occur.

Shop Safe Online, Even on Black Friday!
Watch out for Good Ol’ Scammer Claus: Practice safe shopping online this holiday season
Online Shopping Safety

Committee of Sponsoring Organizations of the Treadway Commission (COSO) Corner

Contributed by: Nancy A. Nasca, Manager, Institute Audit, Compliance & Advisement,

As explained in previous editions of the Quaestor Quarterly, the COSO Framework (an internationally recognized standard with which the adequacy and effectiveness of an organization’s internal controls are evaluated) was updated in May 2013 to further define the principles underlying the five components of internal control (Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring). According to the Framework, these principles are fundamental concepts that must be present and functioning in order to achieve an effective system of internal control.

In addition, the Framework includes points of focus or characteristics that are examples of behaviors or processes that would be expected to be in place to demonstrate that the related principle is in fact present and functioning. This edition of the COSO Corner will summarize the fifteenth COSO principle, which is the third and final principle related to the Information and Communication component of the COSO Framework, as well as the related points of focus.

Principle 15 – The university communicates with external parties regarding matters affecting the functioning of internal control. Important characteristics relating to this principle include:

  • Communicating with External Parties – Processes are in place to communicate relevant and timely information to external parties including regulators, donors, sponsors, accrediting agencies, and financial analysts (e.g., Moody’s) which allow them to readily understand events, activities, or other circumstances that may affect how they interact with the university and sends a message about the importance of internal control in the university by demonstrating open lines of communication. University Communications manages internal and external communications for RIT including publicity, news media, social media, and public relations to help ensure that important information is shared across a wide audience of external parties, as relevant. RIT also makes its audited consolidated financial statements publicly available on its website, which can be found at the Controller's Audited Financial Statements page.
  • Enables Inbound Communications – Open communication channels allow input from regulators, donors, sponsors, accrediting agencies, vendors, and financial analysts providing management and the Board of Trustees with relevant information such as new or changes to existing regulations or standards, assessments of the university’s compliance with contract terms, standards and/or regulations, etc.
  • Communications with the Board of Trustees – Relevant information resulting from assessments conducted by external parties (e.g., RIT’s external auditors, Middle States Commission) is communicated to the Board of Trustees.
  • Providing Separate Communication Lines – The RIT Ethics and Compliance Hotline is an anonymous communication system intended to provide RIT community members, including external parties, with a method to anonymously report concerns related to improper conduct involving financial reporting, internal controls, protection or use of university assets, regulatory compliance, or harassment and discrimination. The link to submit a report can be found at the Ethics and Compliance Hotline page.
  • Selecting Relevant Methods of Communication – The method of communication should consider the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations.

Committee of Sponsoring Organizations of the Treadway Commission (May 2013). “Internal Control – Integrated Framework – Framework and Appendices”

Additional Information by IACA

Watch IACA’s Monday Minute video series here!

Our video series focuses on opportunities for improving internal controls and increasing awareness of various university processes, policies, and protocols. If you have questions, feel free to contact anyone in the IACA office using information on our webpage.

Just to name a few, past topics include: Travel Policy changes, FERPA Regulations, RIT’s Ethics & Compliance Hotline, Records Management Policy, Risk Assessment, and many others.


What about ethics in the workplace?
Learn about the RIT Ethics and Compliance Hotline


Learn more about your IACA team.