Quaestor Volume 21, Issue 2

The last edition of the Quaestor explored Domain III: Governing the Internal Audit Function, which focuses on the role of the Board and senior management in authorizing, positioning, and overseeing the internal audit function.  This edition highlights Domain IV: Managing the Internal Audit Function which addresses the Chief Audit Executive’s (CAE’s) responsibility for day-to-day leadership and management of the internal audit activity.

Domain IV includes four principles (Principles 9 - 12) and 16 related standards covering strategic planning, resource management, communication, and continuous improvement.  Together these requirements ensure the internal audit function is positioned to fulfill its mandate and deliver value to the organization.

• Principle 9: Plan Strategically – The CAE must develop and implement a strategy that supports the internal audit mandate and the organization’s objectives. Effective strategic planning requires a comprehensive understanding of governance, risk management, and control processes, as well as ongoing dialogue with the Board and senior management.
  • Standard 9.1 Understanding Governance, Risk Management, and Control Processes – The CAE must consider how the organization identifies and assesses significant risks and selects appropriate control processes.
  • Standard 9.2 Internal Audit Strategy – The CAE must develop and implement a strategy for the internal audit function that supports the strategic objectives and success of the organization and aligns with the expectations of the board, senior management and other key stakeholders.
  • Standard 9.3 Methodologies – The CAE must establish internal audit methodologies which provide standards and criteria that guide the internal audit function in a systematic and disciplined manner to implement the internal audit strategy, develop the internal audit plan, and conform with the Standards.
  • Standard 9.4 Internal Audit Plan – The CAE must develop a risk-based internal audit plan strategically aligned with the organization’s goals and objectives.
  • Standard 9.5 Coordination and Reliance – The CAE must coordinate with internal and external providers of assurance services to minimize duplication of efforts, and enhance the overall value added by providers.

Examples of Conformance:

• IACA has a documented internal audit strategy which includes its vision, mission, and strategic objectives in alignment with the expectations of the board and senior management.
• IACA has a documented procedures manual which includes standards and criteria for client services including risk assessment and engagement processes as well as administrative functions.
• IACA’s audit plan is presented annually to the Risk and Audit Committee (RAC) of the Board of Trustees for their review and approval.  The audit plan is aligned with RIT’s Enterprise Risk Management Program top risks.

 

• Principle 10: Manage Resources – The CAE must obtain, develop, and deploy appropriate financial, human, and technological resources to execute the internal audit strategy and plan.
  • Standard 10.1 Financial Resource Management – The CAE must manage the day-to-day activities of the internal audit function effectively and efficiently in alignment with the budget.
  • Standard 10.2 Human Resources Management – The CAE must ensure that internal audit staff collectively possess the knowledge, skills, and competencies needed to perform their responsibilities and are effectively assigned to optimize the achievement of the internal audit plan.
  • Standard 10.3 Technological Resources – The CAE must strive to ensure the appropriate use of technology and data analytics to enhance audit coverage and efficiency.

Examples of Conformance:

• IACA staff maintain professional certifications and complete required continuing professional education annually.
• IACA staff leverage technology including data analytics to support audit planning and fieldwork.
• External specialists are engaged for highly technical or specialized audits when internal expertise is not available.

 

• Principle 11: Communicate Effectively – The CAE must establish clear, timely, and transparent communication with the Board of Trustees, senior management, and other stakeholders to support informed decision making and build trust.
  • Standard 11.1 Building Relationships and Communicating with Stakeholders – The CAE should maintain regular, ongoing communication with the board, senior, management and the internal audit function to contribute to a common understanding of the organization’s risks and objectives.
  • Standard 11.2 Effective Communication – The CAE must establish and implement methodologies to promote accurate, objective, clear, concise, constructive, complete, and timely internal audit communications.
  • Standard 11.3 Communicating Results – The CAE must communicate the results of internal audit services to the Board of Trustees and senior management for each engagement.
  • Standard 11.4 – Errors and Omissions – If a final engagement communication contains a significant error or omission, the CAE must communicate corrected information promptly to all parties who received the original communication.

Examples of Conformance:

• The CAE meets with the RAC and senior management periodically throughout the fiscal year, providing engagement updates and other information as necessary in support of the internal audit function.
• IACA utilizes a standard reporting format for documenting final engagement results which includes the engagement’s purpose and scope, overall opinion, assessment of internal controls, summary of observations, recommendations, and management action plans.

 

• Principle 12: Enhance Quality – The CAE must ensure and continuously improve the quality and performance of the internal audit function.
  • Standard 12.1 Internal Quality Assessment – The CAE must develop and conduct internal assessments of the internal audit functions conformance with the Global Internal Audit Standards and progress towards performance objectives. 
  • Standard 12.2 Performance Measurement – The CAE must develop objectives to evaluate the internal audit function’s performance.
  • Standard 12.3 Oversee and Improve Engagement Performance – The CAE must establish and implement methodologies for engagement supervision, quality assurance, and the development of competencies.

Examples of Conformance:

• IACA has implemented a comprehensive quality assurance program which consists of internal post-engagement review of workpapers for compliance with IACA policies and procedures, an annual internal self-assessment of compliance with professional standards and a periodic self-assessment with independent external validation of compliance with professional standards (every 5 years).

In the next edition of the Quaestor, IACA will explore Domain V: Performing Internal Audit Services, which focuses on planning and executing individual audit engagements and delivering high-quality assurance and advisory services.

Obviously, this is digital clutter. But it’s much more than that! These accounts can represent a real security risk. They may be forgotten and left unmonitored, unprotected, and vulnerable, making them an easy target for unauthorized access.

Password reuse

A common risk with old accounts is password reuse. Reusing the same email and password across sites is convenient, but it means a compromise on one site can lead to access on others. One exposed password can quickly cascade into multiple account takeovers.

Separate personal and university accounts

Use personal accounts for non-RIT services whenever possible. Using your RIT account for non-RIT purposes increases risk to RIT. The RIT Password Standard also forbids using your RIT email with your RIT password (credentials) on non-RIT accounts.

If you sponsor accounts or supervise employees, ensure that you close the accounts when the university no longer needs the account or the employee separates from the university.

Personal information        

Many websites and online services store personal information such as names, email addresses, and sometimes payment details. If a service is breached or stores data improperly, that information may be used by an attacker. Even when a service sends suspicious-activity alerts, they can go unnoticed if the account is rarely used or forgotten. When RIT data is involved, please follow the RIT Information Access and Protection Standard and use approved systems to store or share confidential or private information. Personal accounts should not be used to store RIT data. 

Out-of-date protection

If you’ve forgotten you have an account, you won’t check it regularly, and it may not have a strong password or multifactor authentication. Without up-to-date protection, these accounts are more susceptible to unauthorized access by attackers who look for weak or inactive accounts to exploit.

When to Contact the RSC: Please contact the RIT Service Center (585-475-5000) or visit help.rit.edu if you notice any of the following:

• Unexpected password reset emails, login alerts, or account lockouts.

• Duo/MFA prompts you didn’t initiate.

• Evidence of an old account was accessed (sent mail, settings changed, new forwarding rules)

• You entered your credentials on a suspicious site or responded to a suspected phishing message.

• Any concern that RIT data (student, employee, research, or financial) may be exposed.

Practical Cleanup Strategies

Cleaning up old accounts might seem overwhelming at first, but it's a lot simpler than it may seem, especially if broken down into manageable steps to ensure effectiveness. 

Start with your RIT email; then repeat with your personal email.

• Begin by filtering your old emails and searching for phrases like “welcome,” “verify your email,” or “account created.” These keywords can help you spot accounts you may have forgotten. Use these messages to confirm when you created an account and identify services you no longer use.

• Use built-in email tools to cut down on unwanted subscriptions. Reducing subscription clutter will make your inbox easier to manage and reduce the number of seldom used accounts. 

• In Gmail, open the menu (the three dashes) and scroll until you find Manage subscriptions; if you don’t see it, click More and look there. 

• In Outlook, unsubscribe from promotional emails by opening the message and selecting Unsubscribe but do so cautiously, since some attackers disguise malicious links in these emails. 

• Please review your saved credentials, since your browser or password manager may be storing old logins. 

• Identify accounts you no longer use and close them when possible. 

• If you can’t close an account, update your credentials and remove any stored personal or payment information to reduce your risk. 

• If your password manager offers breach alerts, enable them and follow up on any warnings you receive.

Best Practices Moving Forward

Over time, small and consistent habits can significantly reduce long-term risk.

Passwords

• Create a strong, unique password or passphrase for each online account. 

• Avoid reusing passwords, since reuse creates a single point of failure where one exposed password can lead to access across multiple accounts. 

• Use a password manager to organize your accounts, keep everything visible and accounted for, and simplify ongoing management and deletion.

Sharing less information

• Be mindful of how much information you share when creating an account for a new service, since many services request sensitive personal or financial details. 

• Share only what’s necessary, limit extra data where you can, and avoid reusing sensitive information. 

These small choices can help reduce your exposure if an account is later compromised.

Conclusion

Managing your digital footprint supports both personal and institutional security. Unused accounts can create unnecessary exposure when left unmonitored, so take time to identify them, close what you can, and strengthen what remains. Small, consistent actions can significantly reduce risk over time.

Among these, Tuition Waiver significantly enhances the overall benefits package available to eligible faculty and staff and is the most widely used of RIT’s educational benefits.  It provides up to 100% tuition waiver for undergraduate and most graduate-level coursework. The benefit also applies to eligible courses offered through RIT’s Academic Success Center and English Language Center and is available immediately to all employees.

So, is there a catch? Not really, provided employees understand the eligibility requirements, taxability rules, and the process for using the benefit. When these factors are understood, the Tuition Waiver program is quite straightforward and easy to navigate.

Taxability

(All statements below are general guidelines; individual circumstances may vary. For the most up-to-date and comprehensive information, please consult RIT’s website.)

Employees - Undergraduate coursework:

Tuition Waiver benefits for undergraduate coursework for regular and adjunct employees are not taxable under Internal Revenue Code (IRC) §117(d).

Employees - Graduate coursework (job-related):

Tuition Waiver benefits for graduate coursework that is job-related are not taxable under IRC §162. “Job-related” coursework is defined by the IRS as coursework that maintains or improves skills required for the employee’s current position or is required by RIT or by law to maintain the employee’s present salary, status, or job.

Employees - Graduate coursework (not job-related):

Tuition Waiver benefits for graduate coursework that is not job-related are taxable. However, IRC §127 allows an annual exclusion of up to $5,250 for employer-provided educational assistance. Any non–job-related Tuition Waiver value that exceeds $5,250 in a calendar year is taxable to the employee.  Beginning in 2026, this annual exclusion amount will be indexed for inflation.

Eligible Family Members - Undergraduate coursework:

Tuition Waiver benefits for undergraduate coursework for eligible family members are not taxable under IRC §117(d).  An eligible family member’s tax status is a critical factor in assessing taxability.

Eligible Family Members - Graduate coursework:

Tuition Waiver benefits for graduate coursework for eligible family members are taxable under IRC §117(d).

Process

Regular Employees:

Tuition Waiver for courses taken at RIT is applied automatically upon enrollment; no separate application is required.

For graduate-level courses, employees must submit a ‘Graduate Tuition Tax Waiver’ request in Workday for each course for which they are registered. Please refer to this knowledge article for instructions on how to complete this request in Workday. The entry of the course name on the request must be specifically formatted to be accepted in Workday.

Eligible Family Members of Regular Employees:

Tuition Waiver is applied for courses taken at RIT after submitting a ‘Tuition Waiver – Dependent Child/Spouse’ request in Workday.

Adjunct Employees and their Eligible Family Members:

Tuition Waiver is applied for courses taken at RIT after submitting a ‘Tuition Waiver – Adjunct Employee or Dependent Child/Spouse’ request in Workday.

Tax payment process:

When Tuition Waiver benefits are taxable, RIT is required to remit the applicable taxes to the IRS on the employee’s behalf. The Tax Department will issue an invoice to the employee for the taxes paid, which must be reimbursed to RIT. While individual tax liabilities vary based on personal tax circumstances, the combined tax impact is often approximately 40% of the value of the taxable Tuition Waiver benefit.

Payment options:

RIT offers several options to satisfy Tuition Waiver tax liabilities, including installment plans and transfers to a student account.

Feedback

As the Benefits Team and Tax Department continue to enhance and streamline the Tuition Waiver process in Workday, we welcome your feedback. Our goal is to ensure this valuable benefit remains accessible, understandable, and easy to use for all members of the RIT community.

For more information, please visit the following resources:

              https://www.rit.edu/humanresources/education-benefits#rit-tuition-waiver

              https://www.rit.edu/humanresources/education-benefits-spd#tuition-waiver

              https://www.rit.edu/controller/tuition-benefit-taxability#tuition-waiver

Both the Benefits and Tax teams are also available through the RIT Service Center, which includes knowledge articles on this topic, options to submit requests, and the ability to Report an Issue / Ask a Question.

Thank you for taking the time to learn more about RIT’s Tuition Waiver benefit. We hope this overview encourages more colleagues to take advantage of this exceptional opportunity.