The COVID-19 pandemic has had a significant impact on RIT’s operations. In fact, the university’s 2020 Institute Risk Map includes as one of its top ten risks, the risk that COVID-19 will alter or disrupt the manner in which the university fulfills its essential functions. And disrupt operations it has…..
As a result of COVID-19, there is likely not one RIT College, Department, or Division that has not had to revise standard processes and procedures in order to accommodate the protocols put in place to help keep the RIT community healthy and safe against the spread of COVID-19.
Once COVID-19 safety protocols were developed, departments had a limited amount of time to modify key processes in order to comply with these protocols and promote a transition that was as smooth and effective as possible. In the haste that was required to implement these new processes, there is a chance that the inclusion of appropriate control activities may not have been a primary focus in the design of these revised processes.
Now that we have made it through the fall semester, as we plan for the spring semester, it is a good time to take a critical look at the new/ revised processes that will continue to be utilized as long as COVID-19 restrictions remain in place, and ask, answer, and appropriately resolve the following questions:
What aspects of the process modifications worked well and what did not work well? Can additional modifications be made at a modest cost that would increase the effectiveness and/or efficiency of these processes?
Were there any unintended “upstream” or “downstream” consequences (e.g., disruption to other RIT departments that rely on inputs or outputs from your department) of your process modifications that need to be addressed?
As a result of resource/geographical limitations, were revised processes designed so that responsibilities (i.e., authorization, custody, record keeping, and reconciliation) are appropriately segregated among different people (aka Segregation of Duties) to reduce the risk of error or inappropriate/fraudulent activities?
If due to resource limitations, it is not feasible to maintain an adequate segregation of duties, have appropriate compensating control activities been put in place (i.e., management oversight and monitoring controls)?
Do revised processes contain both preventive controls (i.e., designed to avoid an unintended event or result at the time of initial occurrence) and detective controls (i.e., designed to discover an unintended event or result after the initial processing has occurred to ensure their prompt correction)?
Are the new/revised processes that have been put in place more effective and/or efficient than the original processes and are there some aspects that should be retained even after the COVID-19 pandemic has been contained?
All faculty, staff, and students should be proud of how the RIT community has worked together to modify RIT’s day-to-day operations to continue to ensure high-quality educational and research experiences while protecting the health and safety of our community. With some reflection and continued resolve, we can fine tune these new and revised processes to ensure that they include appropriate control activities which will increase the likelihood of the successful accomplishment of RIT’s mission and objectives.
IACA is always happy to consult and advise departments on potential risks to consider and suggested control activities to mitigate these risks as existing processes are redesigned and new processes are developed.
IACA would like to wish all a happy and healthy winter break!!
Inform RIT : RIT-Information Information Security
Contributed by: Ben Woelk, ’07, CISSP, CPTC, Information Security Office Program Manager
Inform RIT is a recurring column provided by the RIT Information Security Office. The column highlights current issues and initiatives that impact the RIT community. In this issue, we’ll talk about how you can take ownership of your privacy.
Social media and mobile apps allow people to stay connected with friends and family, organize their work and personal lives, learn new things, explore new interests or activities, make travel plans, play games, or binge-watch the latest shows. However, these technologies also introduce a plethora of ways for personal information to be tracked, shared, or exposed. Here are some tips you can follow to protect your online information and keep your personal information private.
Limit the amount of personal information that you share online by updating your privacy settings on websites, apps, and mobile devices at least one or two times per year. Not sure where to begin? The National Cyber Security Alliance (NCSA) website provides direct links to update individual account privacy settings on popular devices and online services.
Working in a public space? People can easily overhear phone conversations, so make sure you move to a private area when discussing personal or confidential information. People can also unintentionally—or intentionally—see what’s on your laptop or mobile device. Consider investing in a privacy screen to prevent shoulder surfing and to help protect sensitive work information or details about your personal life.
Turn on two-step verification or multifactor authentication (MFA) whenever it’s offered to help prevent unauthorized access to your mobile devices or online accounts. The National Institute of Standards and Technology (NIST) provides more details about MFA and why it’s important. The Two Factor Auth (2FA) website provides a list of websites that support 2FA. Multi-Factor Authentication at RIT provides information for using MFA at RIT.
Don’t overshare! Limit the kinds of personal information you share on social networking sites. And before you post those vacation pictures, remember that the same data used to help sort and store your photos by date and location can also (unintentionally) reveal where you live, work, or vacation.
We are excited to share the results of a collaborative project between Controller’s Office (CTO) staff and the ITS team to change the way graduate research assistant (GRA) and participant stipend payments are processed.
The new on-line functionality launched on May 31, and replaces the fillable PDF form used by departmental staff to collect payee information and appropriate approvals with an Oracle application user interface that allows them to enter the information directly into the system. The manual validation of eligibility and other requirements completed by Accounts Payable (AP) staff is now done systematically. These changes resulted in operational efficiencies for CTO and departmental staff university-wide and enhances our ability to deliver better service to our students.
Prior to this technology enhancement, departmental staff assistants submitted forms to AP to initiate payment. The AP staff verified manually a variety of requirements such as GRA eligibility (via the Student Information System - SIS), approvals, account code validation, supplier setup (including tax status) and direct deposit. Each stipend payment required an upload process that was manually initiated. Now, administrative staff in the departments complete and route the forms electronically using the Approval Management Engine (AME) functionality and the GRAs and participants enter additional information directly into the Oracle system. This new process leverages Oracle functionality to eliminate the need for AP staff responsible for processing the stipends to validate requirements in multiple systems and manually calculate payments and values for every stipend payment. The Oracle system completes those steps and flags exceptions that require additional follow-up. AP staff time is spent resolving the exceptions rather than handling every transaction.
This project yielded a number of positive outcomes, including decreasing check printing and distribution costs and reducing procedures required to follow-up on uncashed checks and potentially turn over abandoned property to New York State. But perhaps the most noteworthy is the direct benefit to and improved service to GRA and participants by having a significant reduction in the time between GRA/participant enrollment and when they receive their direct deposit payment. As research continues to grow at the university, this new process will help departmental and Controller’s Office staff manage additional volume while continuing to deliver excellent service to RIT students.
For additional information about this process:
Please contact Lisa Brent, Accounts Payable Specialist III at email@example.com.
Training Opportunities Provided by IACA
Internal Controls and Fraud in the Workplace
During the 2.5 hour Internal Controls and Fraud in the Workplace class, the importance of, components of, and the responsibility for establishing and maintaining effective internal controls are discussed. Various examples of what can happen when controls are non-existent or break down (i.e., fraud) are shared throughout the class. The session is required in order to receive the RIT Accounting Practices, Procedures and Protocol Certificate of Completion. However, anyone interested in learning about internal controls and fraud prevention is welcome to attend.
To learn more about these important topics, sign up for a session at the CPD website.
Unit Level Risk Assessment—How to Advance Your Organization’s Agility
The first step towards successfully managing risk is to implement an effective risk assessment methodology. Risk assessment is a systematic process for identifying and evaluating both external and internal events (risks) that could affect the achievement of objectives, positively or negatively. During this 2.5 hour class, we will discuss the key components of an effective risk assessment process and how to integrate it into the business process to provide timely and relevant risk information to management. To learn more about this offering, see the corresponding CPD website.
Controls that are designed to avoid an unintended event or result at the time of the initial occurrence.
Controls that are designed to prevent controls.
Controls designed to discover an unintended event or result after the initial processing has occurred to ensure prompt correction.
None of the above.
Watch IACA’s Monday Minute video series here!
Our video series focuses on opportunities for improving internal controls and increasing awareness of various university processes, policies, and protocols. If you have questions, feel free to contact anyone in the IACA office using information on our webpage. Just to name a few, past topics include: Travel Policy changes, FERPA Regulations, RIT’s Ethics & Compliance Hotline, Records Management Policy, Risk Assessment and many others.