The Quaestor - Volume 14, Issue 1

Novelution-Grants and Contracts Management System

Contributed by: Jason Tack, Executive Director, Sponsored Programs Accounting,

The Office of Sponsored Programs Accounting and Sponsored Research Services are pleased to announce the selection of a new integrated technology solution for grants management, human subjects, and conflict of interest!

Solutions from multiple vendors were evaluated with university-wide representation. The investigation process spanned approximately one year and included the full evaluation of four vendors. The product suite from Novelution was selected for the following reasons:

  • User Experience: user friendly, intuitive, secure cloud-hosted, web and mobile application, including dashboard analytics
  • Pre-award: integrated budgeting, proposal development, online routing and approvals
  • Post-award non-financial: award acceptance, technical reporting, sub-awards, re-budgeting, and extensions
  • Post-award financial: billing and financial reporting, budget monitoring and analysis, and projections
  • Principal Investigators and Administrative Staff: real-time financial monitoring, forecasting, project management, monitoring technical deliverables, and personnel management
  • Compliance: conflict of interest, IRB, export control, and other compliance activities
  • Strategic: best suited to position the RIT community to effectively manage its growing research enterprise and support the university’s strategic plan

The goal for this technology solution is to manage processes (currently de- centralized) within one platform from proposal preparation, through award negotiation and acceptance, project step-up, financial and programmatic administration, and final close-out in an integrated and coordinated manner.

Novelution’s single platform solution will enable the management of pre- and post- award activities for externally sponsored projects (i.e., grants and contracts) in a manner comparable to peer institutions.

The Conflict of Interest module will be implemented first beginning in February 2019, with the Sponsored Research and the Institutional Review Board modules to follow with an expected completion during 2021.

Several people under a cloud of computing devices.

Inform RIT

Contributed by: Ben Woelk, ISO Program Manager, RIT Information Security Office,

Inform RIT is a recurring column provided by the RIT Information Security Office. The column highlights current issues and initiatives that impact the RIT community. In this issue, we’ll talk about a current type of attack seen across higher education, Business Email Compromise (BEC). The content is adapted from materials provided by PhishLine.


  • BEC scams often start with a phishing email intended to obtain unauthorized access to a targeted employee’s account.
  • The attacker may exchange a series of emails with the targeted employee in order to build a trusted relationship. Even though these emails do not normally contain links or attachments, they still pose a risk by connecting the attacker to internal resources.
  • If a targeted employee clicks a link in the phishing email that leads to downloading malware, cybercriminals may gain access to employee information such as email addresses, vendor profiles, payment details, and travel schedules.
  • Using this information, scammers can pretend to be trusted vendors or employees inquiring about payments or sensitive data.
  • The scammers will email employees from embedded contact lists or even call them, earning their trust.
  • When the targeted employee is out of reach, such as away on business, the cyber thief could send a fake email from his or her office, demanding that a payment be made to the trusted vendor’s account.
  • With no way to verify if the email is authentic, the employee may make a hasty decision to approve the payment. Of course, the payment goes to the scammer and not the trusted vendor.
  • Determine whether an email is a BEC scam by looking for suspicious behaviors, including fear tactics or urgent unusual requests.
  • You can prevent BEC scams by verifying requests in person or by phone and never relying on email alone.

Committee of Sponsoring Organizations of the Treadway Commission (COSO) Corner

Contributed by: Nancy A. Nasca, Assistant Director, Institute Audit, Compliance & Advisement,

As explained in previous editions of the Quaestor Quarterly, the COSO Framework (an internationally recognized standard with which the adequacy and effectiveness of an organization’s internal controls are evaluated) was updated in May 2013 to further define the principles underlying the five components of internal control (Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring). According to the Framework, these principles are fundamental concepts that must be present and functioning in order to achieve an effective system of internal control.

In addition, the Framework includes points of focus or characteristics that are examples of behaviors or processes that would be expected to be in place to demonstrate that the related principle is in fact present and functioning. This edition of the COSO Corner will summarize the sixteenth COSO principle, which is the first of two principles related to the last component of internal control, Monitoring Activities, as well as the related points of focus.

Principle 16 – The university selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. Important characteristics relating to this principle include:

  • Considering Both Ongoing and Separate Evaluations – Monitoring can be performed through ongoing evaluations which are routine operations built into business processes and performed on a real-time basis, or as separate evaluations conducted periodically by objective management personnel, internal audit, and/or external parties. Whether ongoing or separate, these evaluations ascertain the adequacy and effectiveness of existing internal controls to provide reasonable assurance that the organization’s objectives will be achieved.
  • Ongoing Evaluations are Performed by Knowledgeable Personnel and are Integrated with Business Processes – Ongoing evaluations are generally performed by the line operating or functional managers, who have sufficient knowledge to understand what is being evaluated. Technology is often used to support ongoing evaluations and allow for the efficient review and analysis of large volumes of data by knowledgeable and responsible personnel who would recognize inconsistencies or other anomalies which may indicate the need for follow up and corrective action.
  • Considering Rate of Change – When designing an effective monitoring structure (i.e., ongoing vs. separate evaluations), management should consider the rate of change of key factors which may impact operations (e.g., regulations, technology, industry trends). Areas of operation that have greater rates of change may need to have more frequent separate evaluations (e.g., independent consultant, subject matter expert, internal audit).
  • Adjusting the Scope and Frequency of Separate Evaluations–Separate objective evaluations will vary in scope and frequency depending on the significance of the process-related risks, results of ongoing evaluations, and expected impacts on the control components in managing the risks. Higher priority risks should be evaluated more frequently and in greater depth than lower priority risks.
  • Evaluating Outsourced Service Provider Operations-Owners of key functions that are performed by third party service providers (vendors) need to understand the activities and controls associated with these services and how the vendor’s internal control system impacts the university’s system of internal control. Common approaches used to monitor the vendor’s system of internal control include: incorporating a right- to-audit clause in the vendor’s contract, reviewing an independent audit or examination report (i.e., Service Organization Control (SOC) report), and implementing complementary user entity controls (e.g., reconciliations, independent verification of vendor data, encryption of data transmitted to vendor).

Committee of Sponsoring Organizations of the Treadway Commission (May 2013). “Internal Control – Integrated Framework – Framework and Appendices”

Training Opportunities Provided by IACA

Internal Controls and Fraud in the Workplace

During the 2.5 hour Internal Controls and Fraud in the Workplace class, the importance of, components of, and the responsibility for establishing and maintaining effective internal controls are discussed. Various examples of what can happen when controls are non-existent or break down (i.e., fraud) are shared throughout the class. The session is required in order to receive the RIT Accounting Practices, Procedures and Protocol Certificate of Completion. However, anyone interested in learning about internal controls and fraud prevention is welcome to attend.

To learn more about these important topics, sign up for a session at the CPD website.

The next upcoming training session of Internal Controls & Fraud in the Workplace is: Tuesday, April 16, 2019 9:00-11:30 a.m. Louise Slaughter Hall, Rm 2140

Unit-Level Risk Assessment—How to Advance Your Organization’s Agility

The first step towards successfully managing risk is to implement an effective risk assessment methodology. Risk assessment is a systematic process for identifying and evaluating both external and internal events (risks) that could affect the achievement of objectives, positively or negatively. During this 2.5 hour class, we will discuss the key components of an effective risk assessment process and how to integrate it into the business process to provide timely and relevant risk information to management. To learn more about this offering, see the corresponding CPD website.

The next upcoming training session of Unit-Level Risk Assessment is: Thursday, April 18, 2019 9:00 to 11:30 a.m. Louise Slaughter Hall, Rm 2140

Additional Information by IACA

Pop Quiz Challenge

Correctly answer the question below and you will be entered in a drawing to win a prize valued at $15. The winner will be chosen randomly and notified by email.

Congrats to Christopher Helming, ITS Enterprise Support, who was our last winner!

Novelution was selected for all but which of the following criteria:

  1. User experience factors
  2. Post-award financial attributes
  3. The product name
  4. Compliance attributes

Watch IACA’s Monday Minute video series here!
Our video series focuses on opportunities for improving internal controls and increasing awareness of various university processes, policies, and protocols. If you have questions, feel free to contact anyone in the IACA office using information on our web-page.

Just to name a few, past topics include: Travel Policy changes, FERPA Regulations, RIT’s Ethics & Compliance Hotline, Records Management Policy, Risk Assessment, and many others.

What about ethics in the workplace?
Learn about the RIT Ethics and Compliance Hotline

Learn more about your IACA team.