Quaestor Volume 21, Issue 1

The last edition of the Quaestor provided an overview of the five principles (Principle 1 through Principle 5) and thirteen related standards of Domain II: Ethics and Professionalism.  This edition will explore the nine standards that fall under the three principles (Principle 6 through Principle 9) in Domain III: Governing the Internal Audit Function which outline the requirements for the chief audit executive (CAE) to work closely with the Board/Audit Committee and senior management to establish the internal audit function, position it independently, and oversee its performance:

• Principle 6: Authorized by the Board – The internal audit function must be formally established and supported by the Board through a clear mandate and Internal Audit Charter.  This defines its authority, role, and responsibilities.
  • Standard 6.1 Internal Audit Mandate – The CAE must establish an internal audit mandate.  The mandate must define the purpose, authority and responsibility of the internal audit function.
  • Standard 6.2 Internal Audit Charter – The CAE must develop and maintain an internal audit charter that specifies at a minimum, the purpose of internal auditing, the internal audit mandate, organizational position and reporting relationships, and commitment to adhering to the Global Internal Audit Standards.
  • Standard 6.3 Board and Senior Management Support – The CAE must provide the Board and senior management with the information needed to support and promote recognition of the internal audit function throughout the university.

Examples of Conformance:

• IACA’s mandate is to promote a strong internal control environment by objectively and independently assessing risks and controls; evaluating business processes for efficiency, effectiveness, and compliance; providing management advisory services; and offering training to the university community.
• IACA’s Internal Audit Charter is reviewed and approved by the Risk and Audit Committee (RAC) of the Board of Trustees annually and includes the purpose of internal auditing, IACA’s mandate, role and organization position, and commitment to adhere to the Global Internal Audit Standards ^TM.  IACA’s charter is available on the IACA website: https://www.rit.edu/fa/charters.
• The CAE meets with the RAC and senior management periodically throughout the fiscal year, providing status updates and other information necessary in support of the internal audit function.

• Principle 7: Positioned Independently – The internal audit function must be organizationally independent.  The CAE should report directly to the Board/Audit Committee and have unrestricted access to information, personnel, and physical properties.
  • Standard 7.1 Organizational Independence – The CAE must confirm to the Board the organizational independence of the internal audit function at least annually. The CAE must discuss with the Board and senior management any current or proposed roles and responsibilities that have the potential to impair the internal audit function’s independence, either in fact or appearance.
  • Standard 7.2 Chief Audit Executive Qualifications – The CAE must maintain and enhance the qualifications and competencies necessary to fulfill the roles and responsibilities expected by the Board.

Examples of Conformance:

• IACA reports functionally to the RAC, allowing staff members to remain free of influence by any element in the university, including matters of audit selection, scope, procedures, frequency, timing, or report content.
• IACA staff may not develop nor install systems or procedures, prepare records, or engage in any other activity which would normally be audited.  However, IACA staff may perform advisory services without impairing their independence provided those services remain consultative and not operational in nature.
• IACA staff members are required to disclose any potential, real, or perceived conflicts of interest on an annual basis both as part of RIT’s Individual Conflict of Interest and Commitment process and through an internal conflict of interest/related party reporting process.
• IACA provides the RAC with an annual report which includes the certifications held by all staff members, including the CAE.  The maintenance of these certifications require staff members to obtain continuing professional education credits each year.
• IIA staff, including the CAE, are members of several professional organizations which offer training, best practices, and benchmarking resources.

• Principle 8: Overseen by the Board – The Board/Audit Committee must actively oversee the internal audit function, ensuring it has adequate resources, qualified leadership, and a clear strategy to fulfill its mandate.
  • Standard 8.1 Board Interaction – The CAE must provide the Board with the information needed to conduct its oversight responsibilities, including the results of internal audit services. 
  • Standard 8.2 Resources – The CAE must evaluate whether internal audit resources are sufficient to fulfill the internal audit mandate and achieve the internal audit plan.
  • Standard 8.3 Quality – The CAE must develop, implement, and maintain a quality assurance and improvement program comprised of both internal and external assessments.
  • Standard 8.4 – External Quality Assessment – The CAE must develop a Board approved plan for an external quality assessment at least once every five years.  The results of this assessment must be presented to the Board.

Examples of Conformance:

• The CAE meets with the RAC and senior management periodically throughout the fiscal year, providing status updates and other information necessary in support of the internal audit function (e.g., adequacy of resources).
• IACA has implemented a Quality Assurance Program which consists of internal post-engagement review of workpapers for compliance with IACA policies and procedures, an annual internal self-assessment of compliance with professional standards and a periodic self-assessment with independent external validation of compliance with professional standards (every 5 years).

In the next edition of the Quaestor, IACA will explore the 16 standards that fall under the 4 principles in Domain IV: Managing the Internal Audit Function which outline the CAE’s responsibility for strategic planning, obtaining and deploying resources, building relationships, communicating with stakeholders, and ensuring and enhancing the performance of the internal audit function.

Flexibility Against Developing Threats

NIST CSF 2.0 offers a flexible, yet structured approach to managing cybersecurity risk. The framework organizes security practices into six core functions: Govern, Identify, Protect, Detect, Respond and Recover. This structure helps RIT refine their cybersecurity strategies to meet evolving threats.

Aldwin Maloto, Chief Information Security Officer said that 10 years ago, the pace of change was much slower. Detecting a spam email could be as simple as looking for misspellings. Now that cyber attackers are leveraging AI, scams, threats, and other attacks are more sophisticated and difficult to detect. The structured but flexible design of NIST CSF helps meet the rapid pace of threat development, and helps RIT invest more effectively in technical and process controls that create an environment that enables RIT to focus on its academic mission and provide a work and classroom experience that’s safer for everyone. The framework equips RIT to better protect its information resources and its people.

Transparency & Accountability

RIT uses the NIST Cybersecurity Framework to guide how campus systems and community data are protected in the event of a threat. The NIST CSF structure allows for different approaches to meet evolving threats while staying in compliance with required regulations.  

Looking Ahead

Implementing the NIST CSF framework helps RIT adapt to evolving technologies, including the use of GenAI. Attackers increasingly use AI to accelerate the frequency and impact of attacks. The university’s alignment with NIST CSF also enables compliance with various regulations and to create a safe environment for learning, innovation, and collaboration.

An Example of NIST CSF Implementation

Earlier in this article we mentioned that NIST has six key functional areas. Each of these areas encompasses different safeguards. For example, under the Protect function, the framework provides guidance on 

• Identity, Authentication, and Access Control
• Awareness and Training
• Data Security
• Platform Security
• Protective Technology

Let’s look a little more deeply at Data Security. NIST CSF provides guidance on 

RIT provides requirements around data handling through several standards, primarily the Information Access and Protection Standard, and through the Information Handling Course required for anyone at RIT who handles confidential or private information or has administrative privileges on RIT computers or networks.

For more information, contact infosec@rit.edu

Reference

Hanacek, N. (n.d.). NIST CS Framework Image. National Institute of Standards and Technology. Retrieved October, 2025, from https://www.nist.gov/image/nist-cybersecurity-framework-20

As we prepare for the January ERP conversion from Oracle to Workday, all legacy payroll data—including salary charges to specific accounts and projects—will be migrated into the new system. After the cutover, it will not be possible to use retroactive Employee Action Forms (EAFs) to reallocate salary that was charged on or before December 31, 2025. Once the data is in Workday, prior-period salary moves for those dates cannot be initiated through the standard retro process.

Given this limitation, assistance is needed to ensure accuracy of the salary allocations. Please confirm that each employee’s costing is correct and that salary charges have been posted to the intended accounts and projects. Complete two checks: (1) validate current costing so future payrolls hit the right funding sources, and (2) review prior salary charges back to July 1, 2025—or to the start date of the award for sponsored projects—to make any necessary corrections before the conversion. All retro EAFs need to have all approvals in Oracle obtained either by December 8 for bi-weekly employees, or December 12 for semi-monthly employees.

In exceptional situations, limited pre-conversion salary corrections may be possible through back-end adjustments. Because these require manual data manipulation and carry risk, approvals will be rare and not guaranteed.