The Quaestor - Volume 15, Issue 2

As a result of COVID-19, there is likely not one RIT College, Department, or Division that has not had to revise standard processes and procedures in order to accommodate the protocols put in place to help keep the RIT community healthy and safe against the spread of COVID-19.

Once COVID-19 safety protocols were developed, departments had a limited amount of time to modify key processes in order to comply with these protocols and promote a transition that was as smooth and effective as possible. In the haste that was required to implement these new processes, there is a chance that the inclusion of appropriate control activities may not have been a primary focus in the design of these revised processes.

Now that we have made it through the fall semester, as we plan for the spring semester, it is a good time to take a critical look at the new/ revised processes that will continue to be utilized as long as COVID-19 restrictions remain in place, and ask, answer, and appropriately resolve the following questions:

• What aspects of the process modifications worked well and what did not work well? Can additional modifications be made at a modest cost that would increase the effectiveness and/or efficiency of these processes?
• Were there any unintended “upstream” or “downstream” consequences (e.g., disruption to other RIT departments that rely on inputs or outputs from your department) of your process modifications that need to be addressed?
• As a result of resource/geographical limitations, were revised processes designed so that responsibilities (i.e., authorization, custody, record keeping, and reconciliation) are appropriately segregated among different people (aka Segregation of Duties) to reduce the risk of error or inappropriate/fraudulent activities?
• If due to resource limitations, it is not feasible to maintain an adequate segregation of duties, have appropriate compensating control activities been put in place (i.e., management oversight and monitoring controls)?
• Do revised processes contain both preventive controls (i.e., designed to avoid an unintended event or result at the time of initial occurrence) and detective controls (i.e., designed to discover an unintended event or result after the initial processing has occurred to ensure their prompt correction)?
• Are the new/revised processes that have been put in place more effective and/or efficient than the original processes and are there some aspects that should be retained even after the COVID-19 pandemic has been contained?

All faculty, staff, and students should be proud of how the RIT community has worked together to modify RIT’s day-to-day operations to continue to ensure high-quality educational and research experiences while protecting the health and safety of our community. With some reflection and continued resolve, we can fine tune these new and revised processes to ensure that they include appropriate control activities which will increase the likelihood of the successful accomplishment of RIT’s mission and objectives.

IACA is always happy to consult and advise departments on potential risks to consider and suggested control activities to mitigate these risks as existing processes are redesigned and new processes are developed.

IACA would like to wish all a happy and healthy winter break!!

Privacy Tips:

Social media and mobile apps allow people to stay connected with friends and family, organize their work and personal lives, learn new things, explore new interests or activities, make travel plans, play games, or binge-watch the latest shows. However, these technologies also introduce a plethora of ways for personal information to be tracked, shared, or exposed. Here are some tips you can follow to protect your online information and keep your personal information private.

• Limit the amount of personal information that you share online by updating your privacy settings on websites, apps, and mobile devices at least one or two times per year. Not sure where to begin? The National Cyber Security Alliance (NCSA) website provides direct links to update individual account privacy settings on popular devices and online services.
• Working in a public space? People can easily overhear phone conversations, so make sure you move to a private area when discussing personal or confidential information. People can also unintentionally—or intentionally—see what’s on your laptop or mobile device. Consider investing in a privacy screen to prevent shoulder surfing and to help protect sensitive work information or details about your personal life.
• Turn on two-step verification or multifactor authentication (MFA) whenever it’s offered to help prevent unauthorized access to your mobile devices or online accounts. The National Institute of Standards and Technology (NIST) provides more details about MFA and why it’s important. The Two Factor Auth (2FA) website provides a list of websites that support 2FA. Multi-Factor Authentication at RIT provides information for using MFA at RIT.
• Don’t overshare! Limit the kinds of personal information you share on social networking sites. And before you post those vacation pictures, remember that the same data used to help sort and store your photos by date and location can also (unintentionally) reveal where you live, work, or vacation.
• Online quizzes and games can be fun, but before taking that quiz to find out which Hogwarts house you belong in, think about how the personal details from your social media profiles might be sold to or shared with data collection companies. (Look for a privacy policy whenever you play a game or take a quiz to see how social media or affiliate sites may capture and use your personal data.)
• Learn more about why privacy matters. matters It is important to understand the different aspects of privacy (e.g., personal privacy, autonomy, secrecy, limited access, and the “right to be left alone.”) Review the RIT Privacy Policy (C07.0) to understand your responsibilities and your expectations of privacy at RIT.

This article is adapted from the EDUCAUSE Review Security Matters blog post: “January 2020: Take Ownership of Your Privacy”, authored by Valerie Vogel, and is used with permission.

The new on-line functionality launched on May 31, and replaces the fillable PDF form used by departmental staff to collect payee information and appropriate approvals with an Oracle application user interface that allows them to enter the information directly into the system. The manual validation of eligibility and other requirements completed by Accounts Payable (AP) staff is now done systematically. These changes resulted in operational efficiencies for CTO and departmental staff university-wide and enhances our ability to deliver better service to our students.

Prior to this technology enhancement, departmental staff assistants submitted forms to AP to initiate payment. The AP staff verified manually a variety of requirements such as GRA eligibility (via the Student Information System - SIS), approvals, account code validation, supplier setup (including tax status) and direct deposit. Each stipend payment required an upload process that was manually initiated. Now, administrative staff in the departments complete and route the forms electronically using the Approval Management Engine (AME) functionality and the GRAs and participants enter additional information directly into the Oracle system. This new process leverages Oracle functionality to eliminate the need for AP staff responsible for processing the stipends to validate requirements in multiple systems and manually calculate payments and values for every stipend payment. The Oracle system completes those steps and flags exceptions that require additional follow-up. AP staff time is spent resolving the exceptions rather than handling every transaction.

This project yielded a number of positive outcomes, including decreasing check printing and distribution costs and reducing procedures required to follow-up on uncashed checks and potentially turn over abandoned property to New York State. But perhaps the most noteworthy is the direct benefit to and improved service to GRA and participants by having a significant reduction in the time between GRA/participant enrollment and when they receive their direct deposit payment. As research continues to grow at the university, this new process will help departmental and Controller’s Office staff manage additional volume while continuing to deliver excellent service to RIT students.

For additional information about this process:
Please contact Lisa Brent, Accounts Payable Specialist III at lybap@rit.edu.