The Quaestor - Volume 8, Issue 3

What is the Standard by Which Internal Controls are Evaluated?

Contributed by: Nancy Nasca, IACA Senior Internal Auditor

In 1992, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission published an Internal Control – Integrated Framework (the COSO Framework).    Since 1992, the COSO Framework has become an internationally recognized standard against which the adequacy and effectiveness of an organization’s internal controls are evaluated.   The COSO framework defines an internal control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations; reliability of financial reporting; and, compliance with applicable laws and regulations.”

The framework further goes on to define the following five components that are an integral part of an effective overall internal control system:

  • Control Environment – The control environment of an organization is often referred to as the “Tone at the Top” and refers to the ethical values promulgated by senior management and demonstrated through their management philosophy and  operating style.  Examples of practices which would indicate that a strong control environment exists include, but are not limited to, an employee code of conduct, well-defined roles and responsibilities, published authorization hierarchies, conflict of  interest policies, and adequate employee training.
  • Risk Assessment – Risks can be both external (i.e., economic changes, competition, regulatory changes) and internal (i.e., misappropriation of assets, change in management, data corruption/inaccuracies) and must be identified and effectively  managed in order to reduce the possibility of an organization failing to meet its strategic objectives (both at the entity-wide and activity level). 
  • Control Activities – Control activities are the specific processes designed to mitigate the risks which would prevent an organization from achieving its objectives.  Examples of common control activities found within successful organizations include,  but are not limited to, segregation of duties, reconciliations, use of performance indicators, and policies and procedures.
  • Information and Communication – Communication of an organization’s objectives and the dissemination of relevant and timely information necessary for effective decision making are crucial components of an effective internal control system enabling management to successfully conduct, manage, and control its operations. 
  • Monitoring – Although an organization may design an adequate internal control system to facilitate the achievement of its goals and objectives, this system must be regularly monitored and evaluated to ensure that the controls are effectively functioning as intended.

In 2013, the COSO Framework was updated to provide additional guidance on the evaluation of internal controls. Although the revised framework retained the five  components of internal control as described above, it further defines 17 principles associated within these five components which are necessary for effective internal control. In addition, it provides 81 points of focus to help assess whether the 17 principles are present and functioning. IACA will further expand upon the principles included in the new 2013 COSO framework (which will replace the original framework as the standard for internal control assessment effective December 15, 2014) in future Quaestor Quarterly Issues. Look for this information in our new “COSO Corner.”

Committee of Sponsoring Organizations of the Treadway Commission (1992). “Internal Control Integrated Framework Executive Summary.”

Inform RIT

Contributed by Ben Woelk, Program Manager, Information Security Office

Inform RIT is a recurring column provided by the RIT Information Security Office. The column highlights current issues and initiatives that impact the RIT community. In this issue, we’ll talk about secure use of wireless networks.

Accessing wireless networks safely

Wireless networking allows you to connect to a network or the Internet without a cable. Some of the networks you may connect to wirelessly include:

  • The RIT public network and encrypted WPA and WPA2 networks through campus-wide wireless access points
  • A wireless router connected to your home Internet connection
  • A wireless “hotspot” at an airport, hotel, coffee shop, or rest area

As more people purchase laptops, smartphones and other mobile devices, wireless network access has become increasingly popular and convenient. Unfortunately, most wireless access points are set up in a manner that is insecure; placing your privacy, your data and your computer at significant risk.

Network security:
Secure networks

Secure wireless networks use WPA2 encryption protocols, and should prompt you for a passcode or key in order to gain access. Some protocols, such as WEP and WPA, will require a password but do not provide adequate security. Make sure to identify what protocol the network is using by checking your wireless settings.

Insecure networks

If the wireless network you are trying to access uses WEP or WPA encryption or does not require a passcode at all, then it is probably insecure.

Insecure wireless networks are susceptible to “sniffing.” Anyone with a laptop or mobile device in range of your computer can read your network traffic, including unencrypted websites, e-mails, instant messages and any file you download. It’s similar to a home phone linesomeone in another room can pick up a different receiver and listen to your entire conversation.


If you are hosting your own wireless network and have not enabled encryption, anyone within range will be able to access your Internet connection. If an unauthorized person uses your network to commit a crime or send spam, the activity can be traced back to your account.

Protect your privacy

Accessing an insecure wireless network is inherently risky, but there are some things you can do to help protect yourself (and your private information):

Use a VPN

A Virtual Private Network, or VPN, is a private network that uses the Internet to connect remote sites or users together. In doing so, it encrypts all network traffic at the sending and receiving ends, and uses authentication to deny access to unauthorized users. If you have VPN access through RIT or another service, use it whenever you access a wireless network.

Stay on “secure” sites

Some “secure” websites encrypt traffic to and from them automatically. You can recognize these sites by checking for “https://” (note the “s”) and a lock icon either in the address bar or the lower right-hand corner of your browser.

Encrypt your traffic

Encrypting your Internet traffic makes it much harder for others to “listen in” on what you’re doing. Check the settings on your e-mail and instant messaging software for some method of encrypting your traffic. Enable settings for “Secure Socket Layer” or “SSL.”

Disable ad-hoc networking

Ad-hoc networking allows computers to connect directly to one another without an access point between them. These types of networks can pose a security threat because they usually have little protection. Disable this feature unless you need it.

Get connected

Running your own wireless network is easy, but it’s critical to secure it properly. The steps that you need to take vary by device so make sure you check your manual.

Make sure you configure the following settings on your router/access point:

Enable WPA2 encryption. Enabling encryption helps prevent attackers from sniffing your traffic and forces anyone attempting to access your wireless network to enter in a passcode. Without the right passcode, they can’t “piggyback” on your network.

Change the default SSID and administrative password. The SSID (Service Set Identifier) is essentially the “name” of your network. Beware of using the default router name and password hackers can easily find the default login information from the vendor.

Disable SSID broadcasting. Many public networks broadcast their SSID to make the network easy to find. Disabling SSID broadcasting hides your wireless network from the casual observer. Anyone attempting to connect must know the SSID.

Enable MAC filtering. Each wireless network card has a unique identification number known as a Media Access Control (MAC) address. Set your network to only allow approved MAC addresses to prevent network break-ins.

Keep your router software and drivers up to date. A driver is just a piece of software, and like any software, is not immune to bugs. Keeping the drivers up to date ensures that your wireless device has the latest protection and support from product vendors.

Using wireless at RIT

All wireless users at RIT are strongly urged to use the encrypted WPA2 network. The use of wireless routers is prohibited in residential areas on campus.

Get informed

Visit the RIT Information Security website <; to read the security standards, access security tools and software, or find out more ways to protect yourself.

For more information about the Private Information Management Initiative or if you have any other questions about Information Security at RIT, visit the RIT Information Security Webpage at, contact us at, or call 585-475-4123.

Additional Information by IACA

Watch IACA’s Monday Minute video series here!

Our video series focuses on opportunities for improving internal controls and increasing awareness of various university processes, policies, and protocols. If you have questions, feel free to contact anyone in the IACA office using information on our webpage.

Just to name a few, past topics include: Travel Policy changes, FERPA Regulations, RIT’s Ethics & Compliance Hotline, Records Management Policy, Risk Assessment, and many others.

What about ethics in the workplace?
Learn about the RIT Ethics and Compliance Hotline

Learn more about your IACA team.