How Strong is the Control Environment in your Area?
Contributed by: Patrick Didas, Associate Director, Institute Audit Compliance & Advisement
By now you have noticed the regular column in the Quaestor Quarterly called COSO Corner. Look for it in this issue on page 7. COSO Corner is written by IACA Senior Internal Auditor Nancy Nasca and highlights the new COSO framework which was redesigned last year in light of many changes in business and operating environments since the issuance of the original COSO framework in 1992.
This article focuses on the bedrock of a well-controlled operation, the control environment. Also referred to as the internal environment, the control environment is the foundation for a solid internal control structure in any entity and establishes the business risk culture. Every layer of an entity – a division, a department, or an operating unit within a department, has its own control environment. You have likely heard of it referred to as the “tone at the top.” Keep in mind the tone at the top is not just senior management’s responsibility, but that of all leaders. It could be said that all employees, regardless of job title, function as leaders if they embody the key values of stewardship, trustworthiness, insight, humility and enthusiasm.
The control environment sets the basis of how risk and control are viewed by an entity’s people. You will agree that the core of any business is its people – their attributes, integrity, ethical values, competence - influence the environment in which they operate. Other control environment factors include management's philosophy and operating style, the way management assigns authority and responsibility, and organizes and develops its people.
Other signs of a solid control environment include:
Leading by Example:
Managers should demonstrate through their own actions their commitment to honesty, ethical strength, reliability, and fairness.
Communicating and Promoting Ethics and Values:
Management should clearly communicate its ethics and values throughout their area of responsibility. These values could be communicated through formal methods (written codes of conduct, policies, staff meetings, memos, etc.), or informally, during day-to-day interaction and operations.
RIT has a method for employees who are witnessing unethical behavior to report such behavior anonymously (the RIT Ethics Hotline). Employees are responsible to report such activity and should feel safe from retaliation. Managers should be familiar with, and make their employees aware of, the RIT Ethics Hotline and RIT Policy C0.0, which contains within it Standards of Ethical Conduct including Whistleblower Protection Against Retaliation.
Management should acknowledge employees who demonstrate honesty and integrity. Doing so will help communicate management’s commitment to this behavior and will encourage others to act likewise. This will promote integrity within the university and have a positive influence on others.
To summarize, while every employee in the RIT community has a personal and professional obligation to be a good steward of university assets and resources, a manager has a particular responsibility to ensure that the control environment in their area of responsibility is aligned with the expectations of senior management and the Board of Trustees and promotes ethical behavior.
How strong is the control environment in your area?
The RIT Ethics Hotline is a great option for employees to utilize when they are uncomfortable about bringing a concern forward in person. Every report is taken seriously and is appropriately investigated. If you have any questions about the Hotline, please contact Steve Morse at firstname.lastname@example.org.
Contributed by Ben Woelk, Program Manager, Information Security Office
Inform RIT is a recurring column provided by the RIT Information Security Office. The column highlights current issues and initiatives that impact the RIT community.
Information Handling and You
Did you know that all information you handle in the course of your work at RIT has one of four classifications? Did you know that RIT has specific policies governing how you handle these different types of information?
We handle many types of information at RIT. Much of it is relatively innocuous and not anything we need to worry about. However, some of the information you handle may be useful for identity theft or be RIT business-related and confidential. There are also federal and state laws governing the handling of specific types of information.
Information is classified by its degree of confidentiality by the Information Access and Protection Standard. Here are the four classification levels and related handling information:
Private information is information that is confidential and which could be used for identity theft. Private information also has additional requirements associated with its protection (e.g., state and federal mandates). Examples include:
Social Security Numbers (SSNs) or other national identification numbers
Driver’s license numbers
Financial account information (bank account numbers, checks, credit or debit card numbers), etc
Use alternatives to Private information whenever possible. Unless required by RIT business processes, files should not contain Private information. Sanitize all unnecessary Private information by redacting (removing) the Private information. Redaction should be done in such a manner that the Private information is completely removed from the files—masking of Private information is insufficient. Approved sanitization, redaction, and disposal practices may be found at https://www.rit.edu/security/content/information-access-protection-stan….
Stored Private information should be protected with documented technical and process controls that limit access in both physical and electronic environments. Private information in electronic form should be stored in secure ISO-approved servers or another ISO-authorized, encrypted form. Transfer or sharing of Private information is prohibited unless it is essential to RIT business practices, and should be done using an ISO-approved transfer method such as the Tiger File exchanger, encrypted e-mail, or file-based encryption. Avoid printing Private information unless necessary for business operations, and implement the ISO-recommended printer best practices where possible.
Confidential information is information that is restricted to a need-to-know basis and due to legal, contractual, ethical, or other constraints may not be accessed or communicated without specific authorization. Examples include:
University Identification Numbers
Educational records governed by FERPA that are not defined as directory information (see RIT Educational Records Policy D15.0)
Employee health information as defined by the Health Insurance Portability and Accountability Act (HIPAA)
Management information, including communications or records of the Board of Trustees and senior administrators, designated as Confidential
Faculty research or writing before publication or during the intellectual property period (see RIT Intellectual Property Policy 3.0)
Third party information that RIT has agreed by contract to handle as confidential
Confidential information should only be used and disclosed to others on a need-to-know basis in order to perform RIT business operations. Any transfer or sharing of Confidential information should include an annotation labeling the document or file as “Confidential” (education records governed by FERPA that are not defined as directory information are excluded from the marking requirement).
Confidential information in paper form should be stored in locked areas; in electronic form, it should be protected using secure information technology resources and access controls. Confidential information should not be stored or posted in blogs, wikis, or other digital locations/repositories that do not use ISO-approved authentication and authorization.
Internal information is restricted to RIT faculty, staff, students, alumni, contractors, volunteers, and business associates for the conduct of university business. Examples include online building floor plans, specific library collections, etc.
Use secure information technology resources and access controls whenever storing, transferring, or sharing Internal information.
Public information may be accessed or communicated by anyone without restriction and has no special handling requirements associated with it.
Private Information Management Initiative
The Private Information Management Initiative focuses on helping RIT employees identify and reduce or eliminate Private Information not needed for business processes. Most of you are familiar with the Identity Finder software that runs monthly on your RIT computer. The Identity Finder software searches your system for data patterns that look like Private Information. Identity Finder provides a search results window that enables you to examine the suspected Private Information found and shred (delete) or scrub (redact) the information. It also allows you to choose “Ignore” for information that is a false positive. (A false positive matches the data pattern of Private Information, but is not actually Private Information. We typically see false positives in various statistical packages and in spreadsheets that contain entries that are nine-digit numbers or otherwise appear to be account numbers.)
We appreciate your diligence in handling information properly. It increases the safety of both RIT’s and your information.
Courses Available to Employees Include:
DSD 103 Information Handling
RIT employees handle or are exposed to Private and Confidential information everyweek. It is important to use appropriate and secure information handling practices toprotect these types of information. Inadvertent loss or disclosure of Private informationmay result in a Notification event under the NYS Information Security Breach andNotification Act.
Attendees of the Digital Self Defense (DSD) 103—Information Handling course will learnnew and improve existing information handling skills. Specifically, the course explainsthe different classes of information at RIT, how these types of information should betreated, and the correct means of storage, transfer, and destruction to be used.Completion of the course should provide the user with the necessary knowledge to be in compliance with the Information Access & Protection (IAP) Standard.
DSD 103 Online Course
DSD 103 Information Handling is now available as a self-paced online class through the RIT E-Learning Zone.
Committee of Sponsoring Organizations of the Treadway Commission (COSO) Corner
Contributed by: Nancy A. Nasca, Manager, Institute Audit, Compliance & Advisement, email@example.com
As explained in previous editions of the Quaestor Quarterly, the COSO Framework (an internationally recognized standard with which the adequacy and effectiveness of an organization’s internal controls are evaluated) was updated in May 2013 to further define the principles underlying the five components of internal control (Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring). According to the Framework, these principles are fundamental concepts that must be present and functioning in order to achieve an effective system of internal control.
In addition, the Framework includes points of focus or characteristics that are examples of behaviors or processes that would be expected to be in place to demonstrate that the related principle is in fact present and functioning. This edition of the COSO Corner will summarize the second principle relating to the Control Environment component of the COSO Framework, as well as the related points of focus.
Principle 2 – The Board of Trustees (BOT) demonstrates independence from management and exercises oversight of the development and performance of internal control. Key characteristics (points of focus) relating to this principle include:
The BOT identifies and accepts its oversight responsibilities in relation to established requirements and expectations. The Board is responsible for providing oversight and constructive feedback to management.
The BOT, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate actions.
The BOT has sufficient members who are independent from management and objective in evaluations and decision making.
The BOT retains oversight responsibility for management’s design, implementation, and conduct of internal control. The President and senior management bear direct responsibility for developing and implementing the internal control system. Board oversight is supported by structures and processes that management establishes at a business-execution level.
Our video series focuses on opportunities for improving internal controls and increasing awareness of various university processes, policies, and protocols. If you have questions, feel free to contact anyone in the IACA office using information on our webpage.
Just to name a few, past topics include: Travel Policy changes, FERPA Regulations, RIT’s Ethics & Compliance Hotline, Records Management Policy, Risk Assessment, and many others.