The Quaestor - Volume 8, Issue 1

What Do Internal Auditors Do?

Contributed by: Patrick Didas, Associate Director, IACA

Here at IACA, we often find that the university community, and people in general, are not quite sure what internal auditors do.  The objective of this article is to shed some light on this topic.  As internal auditors, we are independent of the activities we  audit, yet we are integral to the organization and provide ongoing monitoring and assessment of all RIT activities.  We are employees of RIT.

As defined by the Institute of Internal Auditors, "internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.  It helps an organization accomplish its objectives by  bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."

Internal auditors are charged with examining and evaluating the policies, procedures, and systems which are in place to provide an opinion on: the reliability and integrity of information; compliance with policies, laws, and regulations; the safeguarding of assets; and the economical and efficient use of resources. When there is room for improvement, our exception-based reports communicate recommendations for enhancing internal controls and mitigating business risks.

Working in partnership with operational management, we provide the Audit Committee of the RIT Board of Trustees and RIT senior management an assessment of the internal controls and the exposure of business risks in the areas we audit.

RIT’s policies are designed to help ensure we all comply with applicable laws and regulations and operate efficiently. By following these policies, we all help protect the university from unnecessary risks and help ensure that sound business practices are employed consistently throughout the university.

An IACA annual work plan is developed and approved by the Audit Committee based on an annual assessment of risk across the university. The IACA auditors are assigned the engagements identified in this work plan. In addition to performing audits, and financial fraud investigations when necessary, IACA assists management by providing a fresh perspective utilizing analytical and research skills. These advisory services may include:

Reviewing the reliability and integrity of financial and operating information, reports, and systems

Determining whether operational results are consistent with established objectives and standards

Reviewing the means for adequately safeguarding and verifying the existence of assets

Reviewing the systems established to ensure compliance with policies, plans, procedures, laws, and regulations

Working in a consultative role to improve and/or benchmark processes and controls

We do our best to accommodate all advisory service requests. We're also available to provide presentations and training customized to your department and we offer a training session on Internal Controls and Fraud in the Workplace on a quarterly basis through the Continuing Professional Development (CPD) office.

The IACA mission captures what we do - Institute Audit, Compliance & Advisement promotes a strong internal control environment by objectively and independently assessing risks and controls; evaluating business processes for efficiency, effectiveness, and compliance; providing management advisory services; and offering training to the University community. We focus on preserving the resources of the University for use by our students as they prepare for successful careers in a global society.

In a nutshell, we are a resource for RIT managers; we are here to help RIT and its operational units achieve their objectives. If you would like additional information on the services that we can provide to your area of responsibility, contact any of the IACA staff. Our contact information is on the last page of this newsletter.

Inform RIT

Contributed by Ben Woelk, Program Manager, Information Security Office

Inform RIT is a recurring column provided by the RIT Information Security Office. The column highlights current issues and initiatives that impact the RIT community. In this issue, we’ll talk about securing private information

Data Privacy Month: Private Information Disposal

Did you know that January is Data Privacy Month?

For the last two years we’ve focused on remediation and disposal of Private Information resident on RIT computers and we’ve made great progress. Have you thought about disposing of Private Information that’s not on your computer? We encourage you to review “hard-copy” materials, disks, CD/DVDs, video tapes, and any other type of storage media containing Private Information and dispose of those containing unnecessary Private Information appropriately. Don’t forget that retention of RIT information is also governed by the Records Management Policy (C22.0).

Hard-copy materials containing Private Information pose a risk both to RIT and to the individuals whose information is in the materials. For example, on April 14th, 2011, Central Ohio Technical College found that course information had been left in a filing cabinet at an off-campus storage facility, compromising the Social Security Numbers of over 600 registered students. RIT used a similar system with Social Security numbers until June 2006, when University IDs became the main means of
registration and identification on campus. DataLoss DB ( indicates that almost 25% of breaches have been due to the inadvertent loss of Private Information, in both hardcopy and digital formats. Disposing of unnecessary Private Information will help ensure RIT complies with Private Information laws, policies, and procedures.

New York State defines Private Information (PI) as:

any personal information concerning a natural person combined with one or more of the following data elements: Social Security number (SSN), driver's license number, account number, or credit or debit card number in combination with any required security code. These combinations of information are often used in identity theft.

The New York State Information Security Breach and Notification Act requires that RIT notify affected consumers if their Private Information is compromised.

If you’re not sure of whether or not to dispose of Private Information on your computer, check with your manager or consult the Private Information Decision Tree here:

For more information about the Private Information Management Initiative, check out our PIMI FAQ page: and our Document Destruction page:

Additional Information by IACA

Watch IACA’s Monday Minute video series here!

Our video series focuses on opportunities for improving internal controls and increasing awareness of various university processes, policies, and protocols. If you have questions, feel free to contact anyone in the IACA office using information on our webpage.

Just to name a few, past topics include: Travel Policy changes, FERPA Regulations, RIT’s Ethics & Compliance Hotline, Records Management Policy, Risk Assessment, and many others.

What about ethics in the workplace?
Learn about the RIT Ethics and Compliance Hotline

Learn more about your IACA team.