Institute Audit, Compliance & Advisement
R·I·T
Achieving Excellence Through Collaboration
the
Quaestor Quarterly
Volume 10, Issue 2
Spring 2015
quaes· tor [kwes'tôr] ‘one who asks questions’
IACA’s
Mission
What’s New in IACA?
Institute Audit, Compliance &
Advisement
promotes
a
strong internal control environment by objectively and
independently assessing risks
and
controls;
evaluating
business processes for efficiency, effectiveness, and
compliance; providing management advisory services;
and offering training to the
university community. We
focus on preserving the resources of the university for
use by our students as they
prepare for successful careers in a global society.
Inside This Issue
Page
Training Opportunities
Provided by IACA
2
Inform RIT
3
COSO Corner
5
Word on the Street
6
RIT Ethics Hotline
6
Pop Quiz Challenge
7
It appears we have finally shaken the cold winter and can welcome spring. The
past several months have been a time of change at IACA as well. We have
been busy adjusting to new roles and responsibilities while continuing to
provide the same level of high quality professional internal auditing services to
the RIT community.
This past November, I was named Assistant Vice President of IACA. However,
as most of you likely know, I’m not new to IACA; I have been the Associate
Director of IACA for the past nine years. In my current role, I have a dual
reporting relationship reporting both to Dr. Watters, RIT’s Senior Vice President
for Finance and Administration, as well as the Chairperson of the Audit
Committee of the Board of Trustees. That reporting relationship provides IACA
the independence required of an internal audit function.
The two former Senior Internal Auditors for IACA, Nancy Nasca and Wendy
Roy, were recently promoted to Managers which serves to adjust their titles to
reflect the responsibilities they perform for IACA in addition to their audit
engagement responsibilities.
Nancy is also our departmental compliance
coordinator - making sure IACA is aligned with the professional standards we
must abide by as members of the internal audit profession. Additionally, Nancy
is developing a training session that will be offered through RIT’s Center for
Professional Development (CPD) on the topic of Risk Assessment. As internal
auditors, we often talk about internal controls; this class will help attendees to
identify business risks that may require internal controls to be implemented or
strengthened in order to meet business objectives. In other words, identifying
“the things that keep you up at night.”
Wendy is our professional development coordinator, responsible for tracking
the licensing and training that is required by our professional licenses and
certifications. Wendy and I present our CPD offering of Internal Controls and
Fraud in the Workplace as well as the Basic Business Essentials sessions for
academic department heads. Wendy also hosts the popular IACA Monday
Minute video series found here https://www.rit.edu/fa/iaca/content/iacamonday-minute.
(continued on p. 2)
Page
Page
2
2
Regulatory Compliance...
(continued from p. 1)
Chris VanHemel, our Staff and Audit Assistant, has learned new audit skills to expand her
ability to assist with various types of audits.
The newest member of the IACA team is our Associate Internal Auditor, Alissa Jatsenti.
She is a CPA and was most recently with the accounting firm KPMG. Alissa is new to the
Rochester area and is very excited to be here at RIT.
Although our Senior IT Auditor position is currently vacant, we have begun to recruit for
that position.
This past October, the IACA staff earned Six Sigma Yellow Belt certifications through
RIT’s Center for Quality and Applied Statistics. For our in-class assignment (which
extended beyond as well) we worked primarily on improving the format and distribution
of our audit reports. Since our report is the final “product” of our services, it is a very
important document for us as well as our clients. The goal was to simplify our reports,
ensure the appropriate level of management is aware of the opportunities for
improvement, and acknowledge areas that have effective and efficient internal controls –
something most audit reports (including our previous report style) typically don’t include.
We are all excited and energized by the many changes that have occurred over the past
months at IACA and we remind you that we are here to serve the university community
with professional services. We include time for advisory requests in our annual audit
plan; so if you have a process/area that you would like reviewed, or just have an internal
controls related question, please give any of us a call. We are here to serve the RIT
Community.
~~ Contributed by Patrick M. Didas
Assistant Vice President
Institute Audit, Compliance & Advisement
Training Opportunities Provided by IACA
IACA’s Internal Controls and Fraud in the Workplace class is two and one half hours in
length and is required to receive the RIT Accounting Practices, Procedures and Protocol
Certificate of Completion. However, anyone interested in learning about internal controls
and fraud prevention is welcome to attend.
To learn more about these important topics, sign up for IACA’s Internal Controls and
Fraud in the Workplace class at the CPD website:
http://www.rit.edu/fa/cpd/leadership/internalcontrolsandfraud.html
Upcoming Internal Controls &
Fraud in the Workplace Training Sessions:
Tuesday, July 21, 2015
9:00am to 11:30am
2140 Louise Slaughter Hall
Wednesday, October 14, 2015
9:00am to 11:30am
2140 Louise Slaughter Hall
PagePage
3 3
Inform RIT
Inform RIT is a recurring column provided by the RIT
Information Security Office. The column highlights current
issues and initiatives that impact the RIT community. In
this issue, we’ll talk about reliance on anti-virus for
protection and the concept of layering.
Anti-virus isn’t enough!
For years, PC users have relied on anti-virus to provide them with 100% protection from
attacks by malicious software, whether the attack occurs when visiting a website or
opening an infected attachment. Mac users have sometimes assumed that they needed
no malware protection whatsoever.
What percentage of malware (malicious software, including viruses, worms, Trojans, etc.)
do you think is detected by anti-virus software? 95%? 90%? 80%?
How does anti-virus work?
AV-Comparatives (https://av-comparatives.org) states that they are an independent
organization offering systematic testing of PC/Mac-based antivirus products. Reading
their most recent report is encouraging. Depending on the anti-virus product you choose,
malware detection may be more effective now than ever. However, other studies (http://
www.imperva.com/docs/HII_Assessing_the_Effectiveness_of_Antivirus_Solutions.pdf)
have shown that anti-virus detection rates, although very good for some of the industryleading products, are sorely lacking for some products, with detection rates of less than
50%. (McAfee, the anti-virus protection offered by RIT, scores well on both tests.)
OK. So you’ve chosen an anti-virus product with very high detection
rates. Your worries are over, right? Unfortunately, it’s not that simple.
Most anti-virus products score well against known samples. However, new malware
variants are created hourly, and your anti-virus may or may not be good at detecting
unknown malware. Anti-virus relies on two types of detection, signatures (also known as
DAT files) of known malware and heuristic detection (behavioral analysis) of unknown
malware. Not surprisingly, anti-virus doesn’t do as well against unknown malware threats
as it does against known threats.
Another factor in determining anti-virus effectiveness is how long it takes an anti-virus
firm to update their detections. The longer the gap between malware appearing and it
being added as a signature, the longer you may be exposed to that malware threat.
OK. You’ve told me anti-virus isn’t enough and I may be starting to
believe you. What do I need to do to protect myself?
The classic model of protection in information security is the concept of layering. Layering
means that you don’t rely on any one level of protection (such as anti-virus) to provide
all of your protection. For you, that means employing a combination of technical
protections, practices, and a dose of common sense. The RIT Desktop and Portable
Computer Standard https://www.rit.edu/security/content/desktop-and-portablecomputer-security-standard provides minimum requirements for protecting desktop
computers.
(continued on p. 4)
“I believe in evidence. I
believe in observation,
measurement, and
reasoning, confirmed by
independent observers.
I’ll believe anything, no
matter how wild and
ridiculous, if there is
evidence for it.
The wilder and more
ridiculous something is,
however, the firmer and
more solid the evidence
will have to be.”
- Isaac Asimov,
scientist and writer
(1920-1992)
Page
Page
4
4
Inform RIT
(continued from p. 3)
Those requirements include ensuring that your firewall is active, that you’re up to
date on security patches, that your computer is set to log you out automatically
after a set time period (15 minutes is a good choice for most users), that your
computer is encrypted when accessing private information, and a few other
requirements.
The Password Standard (https://www.rit.edu/security/content/password) provides
minimum password requirements; and we provide a brochure that explains how to
create an easy-to-remember passphrase. Although there’s been a lot of talk about
the usefulness of passwords, a good password provides an additional layer of
protection.
Practices include the proper access, storage, and transfer of Private and
Confidential information (IAP Standard), use of an appropriate RIT signature on
official communication, and proper use of portable media. The Best Practices
section of our website (https://www.rit.edu/security/content/keeping-safe)
provides a great deal of information that will help you protect yourself (at home
and at RIT), other members of the RIT community, and RIT resources.
Wait! That’s a lot I need to do!
Yes, in some ways that’s true. However, cyber criminals target you, not just
computers and systems. Because we are each targeted, we need to not only take
advantage of the protection provided by RIT, but to take an active role ourselves in
providing protection. We’re not asking you to become a cyber warrior. We do want
you to realize you have active adversaries and that the best technical protection
can’t stop human error. Much of what we need to do is to slow down and think
before we click. Our adversaries try to hurry us into making poor decisions.
We are refreshing the DSD101 course, Introduction to Digital Self Defense, and
plan to begin offering it again later this summer. Let me know what you’d like us to
cover in that class.
Ben Woelk, CISSP
ISO Program Manager
For more information about protecting yourself and RIT, visit the RIT Information
Security Webpage (http://www.rit.edu/security), contact us at [email protected], or
call us at 585-475-4123.
Did you know that the RIT Information Security Office has more than 6800 likes of
its Facebook Page (http://www.facebook.com/RITInfosec) and more than 1100
Twitter followers (@RIT_Infosec)? Like us or follow us today!
~~ Contributed by Ben Woelk
Program Manager
RIT Information Security Office
PagePage
5 3
COSO Corner
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
As explained in previous editions of the Quaestor Quarterly, the COSO Framework
(internationally recognized standard against which the adequacy and effectiveness of an
organization’s internal controls are evaluated) was updated in May 2013 to further define
the principles underlying the five components of internal control (Control Environment,
Risk Assessment, Control Activities, Information and Communication, and Monitoring).
According to the Framework, these principles are fundamental concepts that must be
present and functioning in order to achieve an effective system of internal control.
In
addition, the Framework includes points of focus or characteristics that are examples of
behaviors or processes that would be expected to be in place to demonstrate that the
related principle is in fact present and functioning. This edition of the COSO Corner will
summarize the fifth and final principle relating to the Control Environment component of
the COSO Framework, as well as the related points of focus.
Principle 5 – The organization holds individuals accountable for their internal control
responsibilities in the pursuit of objectives:




Management and the Board of Trustees enforce accountability for performance of
internal control responsibilities across the university and implement corrective action
as necessary. At RIT, IACA provides the Audit Committee of the Board of Trustees a
summary of audit results and periodic status updates on management’s
implementation of corrective actions.
Performance measures, incentives and rewards are developed at all levels of the
university to encourage the achievement of organizational objectives.
These
measures should be reviewed periodically for on-going relevance and adequacy. RIT’s
current initiatives to review its current staff performance appraisal system and update
its tenure and promotion policies is consistent with this point of focus.
Employee performance is periodically measured against established measures, and
rewards are allocated or disciplinary action is exercised as appropriate. RIT’s annual
performance appraisal processes illustrate the application of this principal.
Pressures created by the establishment of goals and targets toward the achievement
of objectives are balanced with appropriate messaging, incentives and rewards. RIT’s
commitment to acknowledging staff and faculty member achievements in its numerous
award and recognition programs demonstrates the presence of this principal.
Reference
Committee of Sponsoring Organizations of the Treadway Commission (May 2013). “Internal Control –
Integrated Framework – Framework and Appendices”
~~ Contributed by Nancy A. Nasca
Manager
Institute Audit, Compliance & Advisement
~ Ask the Auditor ~
Submit a question to the IACA webpage
https://www.rit.edu/fa/iaca/forms/ask
by July 31, 2015.
If your question is chosen for publication
in our newsletter, you will receive a
prize valued at $15.
Page 6
Word on the Street
“This year, our university behavioral intervention team, SBCT (Student Behavior
Consultation Team) requested an internal audit from IACA regarding our business
process utilized when managing students of concern. We had the opportunity to work
with Ms. Nancy Nasca as the project lead for this audit. I was extremely impressed
with Nancy’s thoughtful questions, her understanding of all of the complexities involved
in managing student behavior, along with the sensitive nature and confidentiality
requirements necessary when working with students who have exhibited mental health
concerns. She met with our team, along with key individuals, and was able to
synthesize her findings into a report that was both pragmatic, insightful and accurately
captured the essence of what we do each day. I know as Chair of SBCT, I deeply
appreciated the “homework” that Nancy did prior to initiating the audit, and her ability
to listen to all of the stakeholders who dedicate themselves to assisting students in
need. It was a very positive experience, and I hope to continue working with IACA as
we examine all of our protocols within the area I supervise.”
~~ Contributed by Dr. Dawn Meza Soufleris
Associate Vice President,
Residential Education and Community Standards
Division of Student Affairs
Watch IACA’s Monday Minute video series here!
Our monthly one-minute video series focuses on
opportunities for improving internal controls;
we hope that you find the information beneficial. If you have
questions, feel free to contact anyone in the
IACA office using information on our webpage.
Past Topics:
Travel Policy changes, FERPA Regulations, and Lenel Access
What about ethics in the workplace?
To learn more about
the RIT Ethics Hotline, check out
http://www.rit.edu/fa/svp/content/ethics-andcompliance-hotline-whistleblower
Page Page
7 3
Pop Quiz Challenge
Take the Pop Quiz Challenge! Correctly answer the question below and you
will be entered in a drawing to win a prize valued at $15. One lucky winner
will be chosen randomly and notified by email.
Question:
According to Inform RIT, malware “signatures” are also known as which of the
following?
A. DAT files
B. Heuristic detection
C. Malware
Achieving Excellence Through Collaboration
IACA TEAM:
D. Anti-virus software
Patrick M. Didas ‘90, CPA, CFE, CCA
Post your answer to our Quiz webpage at:
https://www.rit.edu/fa/iaca/content/quiz
************************************************************
Congratulations to Tish Purcell from the College of Applied Science and
Technology for correctly answering the Winter issue’s Pop Quiz question.
The question and the correct answer were:
According to the lead article, RIT’s Educational Records Policy addresses key
requirements of which Federal or State laws?
assistant vice president
475-6826
Wendy J. Roy, CPA
manager
475-7011
Nancy A. Nasca, CPA, CIA
manager
475-5293
Alissa Jatsenti, CPA
A. FCPA
associate internal auditor
B. Title IX
475-7849
C. EH&S
Correct
Christine M. VanHemel ‘12
D. FERPA
staff & audit assistant
475-7647
~ Ask the Auditor ~
Submit a question to the IACA webpage
https://www.rit.edu/fa/iaca/forms/ask
by July 31, 2015.
If your question is chosen for publication
in our newsletter, you will receive a
prize valued at $15.
R·I·T