The Quaestor - Volume 8, Issue 1

Internal auditors are charged with examining and evaluating the policies, procedures, and systems which are in place to provide an opinion on: the reliability and integrity of information; compliance with policies, laws, and regulations; the safeguarding of assets; and the economical and efficient use of resources. When there is room for improvement, our exception-based reports communicate recommendations for enhancing internal controls and mitigating business risks.

Working in partnership with operational management, we provide the Audit Committee of the RIT Board of Trustees and RIT senior management an assessment of the internal controls and the exposure of business risks in the areas we audit.

RIT’s policies are designed to help ensure we all comply with applicable laws and regulations and operate efficiently. By following these policies, we all help protect the university from unnecessary risks and help ensure that sound business practices are employed consistently throughout the university.

An IACA annual work plan is developed and approved by the Audit Committee based on an annual assessment of risk across the university. The IACA auditors are assigned the engagements identified in this work plan. In addition to performing audits, and financial fraud investigations when necessary, IACA assists management by providing a fresh perspective utilizing analytical and research skills. These advisory services may include:

Reviewing the reliability and integrity of financial and operating information, reports, and systems

Determining whether operational results are consistent with established objectives and standards

Reviewing the means for adequately safeguarding and verifying the existence of assets

Reviewing the systems established to ensure compliance with policies, plans, procedures, laws, and regulations

Working in a consultative role to improve and/or benchmark processes and controls

We do our best to accommodate all advisory service requests. We're also available to provide presentations and training customized to your department and we offer a training session on Internal Controls and Fraud in the Workplace on a quarterly basis through the Continuing Professional Development (CPD) office.

The IACA mission captures what we do - Institute Audit, Compliance & Advisement promotes a strong internal control environment by objectively and independently assessing risks and controls; evaluating business processes for efficiency, effectiveness, and compliance; providing management advisory services; and offering training to the University community. We focus on preserving the resources of the University for use by our students as they prepare for successful careers in a global society.

In a nutshell, we are a resource for RIT managers; we are here to help RIT and its operational units achieve their objectives. If you would like additional information on the services that we can provide to your area of responsibility, contact any of the IACA staff. Our contact information is on the last page of this newsletter.

Hard-copy materials containing Private Information pose a risk both to RIT and to the individuals whose information is in the materials. For example, on April 14th, 2011, Central Ohio Technical College found that course information had been left in a filing cabinet at an off-campus storage facility, compromising the Social Security Numbers of over 600 registered students. RIT used a similar system with Social Security numbers until June 2006, when University IDs became the main means of
registration and identification on campus. DataLoss DB (http://datalossdb.org/statistics) indicates that almost 25% of breaches have been due to the inadvertent loss of Private Information, in both hardcopy and digital formats. Disposing of unnecessary Private Information will help ensure RIT complies with Private Information laws, policies, and procedures.

New York State defines Private Information (PI) as:

any personal information concerning a natural person combined with one or more of the following data elements: Social Security number (SSN), driver's license number, account number, or credit or debit card number in combination with any required security code. These combinations of information are often used in identity theft.

The New York State Information Security Breach and Notification Act requires that RIT notify affected consumers if their Private Information is compromised.

If you’re not sure of whether or not to dispose of Private Information on your computer, check with your manager or consult the Private Information Decision Tree here: https://www.rit.edu/security/content/private-information-decision-tree

For more information about the Private Information Management Initiative, check out our PIMI FAQ page: https://www.rit.edu/security/content/private-information-management-initiative-pimi-faq and our Document Destruction page: https://www.rit.edu/security/content/document-destruction