The Quaestor - Volume 14, Issue 3

How to Prepare for an Audit

Contributed by: Wendy Roy, Assistant Director, IACA

In the Fall 2018 issue of the Quaestor, we described what you might expect if you were selected for audit by IACA. So the next question you might have is “how do I prepare for an audit?”

You might be surprised by the answer – you don’t! There is really nothing that you have to actively do to be ready for an audit.

Auditing by its nature is historical – we review documentation for transactions and actions that have already occurred. By looking at the historical activity, we are able to evaluate the normal state of processes and procedures. And, from that review, we can provide feedback on the adequacy of the internal controls surrounding those processes.

So, the state to strive for is to always be ready for an audit. How would you do that, you ask? Well, as part of your normal course of operations, doing the following often equates to a positive outcome in terms of an audit:

  • Establish and implement sound policies, procedures, and practices that are consistent with RIT policies and incorporate an appropriate level of oversight. DOCUMENT THESE!!
  • Follow your established procedures as well as RIT policies, consistently. The expectation of all employees is that they will follow policy – if you don’t know the policy, find out – ask, before you act!
  • Use good judgment in areas that might not be covered by policy – a.k.a. exercising common sense!
  • Document, document, document- this is key! Let’s discuss this a bit further…….

In terms of transactional documentation, ensure that you have captured the “who,” “what,” “where,” “when,” and “why.”

The “why” often gives people the most challenges; this should clearly define the business purpose, in other words – how does RIT benefit from the transaction.

From a non-transactional perspective (e.g., strategic/operating decisions), it is important to document your thought processes on why you decided to take a specific approach (e.g., a cost/benefit analysis), who was involved with the decisions, what their input was on the decision, and the ultimate outcome. The goal is to ensure that down the road, if needed, your decisions will be explainable and that there will be sound documentation to support them.

Although it should be rare, exceptions to policy do occur. In these cases, it is imperative to ensure that the decision to deviate from policy is clearly documented and approved by the appropriate office and/or level of management. This documentation should include an explanation as to why the deviation was necessary.

Following these simple suggestions will help your audit go as smoothly as possible; however, regardless of whether or not you are ever audited, implementing these few tips will help you to strengthen your internal control environment! And, lastly, when it comes time to be audited, prepare to work together as a team. IACA’s motto is “Achieving Excellence Through Collaboration” - together we can establish a strong control environment and identify opportunities for continuous improvement!

Inform RIT

Contributed by: Ben Woelk, ISO Program Manager

Inform RIT is a recurring column provided by the RIT Information Security Office. The column highlights current issues and initiatives that impact the RIT community. In this issue, we’ll talk about iOS mobile device security.

iOS Mobile Security

Mobile device security is becoming increasingly important as more people store personal and confidential information on their phones. However, it is sometimes challenging to navigate different operating systems in order to set up strong security measures. This article introduces four simple ways to begin to protect your iPhone’s security.

Create a stronger passcode

The default setting on most iPhones is to use a six-digit PIN. This should be replaced with a strong alphanumeric code that has a mix of numbers, letters, and symbols.

To change your current passcode to something stronger, go into Settings > Touch ID and Passcode (or Face ID and Passcode), Passcode), scroll down and tap Change passcode. It will prompt you to enter your current pin and then ask you to enter your new passcode. Tap Passcode Options and select Custom Alphanumeric Code. Enter your new password.

Enable Automatic Updates

Any mobile device that isn’t updated can become a security risk. (They are computers that can be used as phones.) Updates regularly include fixes to poor security features in the device (or app) software. If those weaknesses aren’t updated, they may provide a way for malware to infect your device. Make sure that your iPhone is always up-to-date and secure by enabling automatic updates.

To enable automatic updates, go to Settings > General > Software Update. Scroll to the bottom and tap on Automatic Updates and toggle on.

Turn on Find My Phone

The built-in Find My Phone app gives you some control over your phone even if it is lost or stolen. If your phone goes missing, this app lets you lock it remotely and displays a message telling the finder how to return the phone. If you choose to enable Location Services, you will also be able to see a map of where your missing device is. If you believe your device has been stolen, the app even has the option to erase your phone. This would ensure the safety of any personal or confidential information you store on it. Overall, this powerful app makes sure that you have control of your device and personal information even when your phone goes missing.

To turn on Find My Phone, go to Settings > [your name] > Find My and toggle on.

To turn on Location Services, go to Settings > Privacy > Location Services. Toggle on, then scroll until you see Find iPhone. Make sure that Location Access is allowed “While Using the App.”

Turn on Two-Factor Authentication

Your Apple ID gives you access to many vital services both on your phone and online. Some of these services include: iTunes, App Store, iCloud (all your photos, notes, and information), and Find My Phone. This makes keeping your Apple ID secure crucial. To help ensure that you and you alone have access to your Apple ID and all the services that come along with it, turn on Two-Factor Authentication. This will send a verification code to your phone every time you – or someone else – attempts to log on to your Apple account from a new device. That way, if a cybercriminal steals your credentials and attempts to log on to your account, they will not be able to access your information without first acquiring the verification code sent only to your personal phone.

To enable Two-Factor Authentication on your iPhone, go to Settings > [your name] > Password & Security.

Enter your password, then tap Turn On Two-Factor Authentication.

Conclusion

These four simple methods set you on the path to better protect your iPhone and personal data from possible cybercriminals and thieves. There are many additional steps you can take to better protect your devices as well. Future steps you may consider taking to protect your information include setting up a Virtual Private Network (VPN), installing a mobile security app, or using a password vault. To learn more, visit the Mobile Device section of the RIT Information Security website.

Sources:
https://support.apple.com/en-us/HT210400
https://support.apple.com/en-us/HT207198
https://staysafeonline.org/stay-safe-online/securing-key-accounts-devic…
https://us.norton.com/internetsecurity-mobile-iphone-tips-for-ios12.html

IACA Moves to Eastman Hall

After much planning, purging, and packing, IACA successfully moved our offices in August 2019, from Orange Hall to Eastman Hall. Our new office is located on the first floor of Eastman in Suite 1160 – right between the Office of the Registrar and the Office of Talent Acquisition. Although we enjoyed our previous location in Orange Hall, we love our new space and are happy to to have our team reside within one common suite! Please feel free to come visit us and check out our new offices. The front entrance to the suite is secured via Lenel access, so please knock or ring the bell for admittance.

Just as an FYI - Our new space was previously occupied by the Accounts Payable and Payroll Offices. As of May 2019, the Accounts Payable and Payroll Offices have moved to the 2nd floor of Barnes and Noble (B&N) at 100 Park Point Drive. There is a secure, locked outgoing mail receptacle located in the 1st floor vestibule on the south side of Eastman Hall next to the ATM, where interoffice mail can be dropped off for delivery to the Controller’s Office in B&N. The Hub picks up mail from this location Monday through Friday at 10:30 a.m. and 1:30 p.m. for same day delivery to the Controller’s Office at B&N.

Training Opportunities Provided by IACA

Internal Controls and Fraud in the Workplace

During the 2.5 hour Internal Controls and Fraud in the Workplace class, the importance of, components of, and the responsibility for establishing and maintaining effective internal controls are discussed. Various examples of what can happen when controls are non-existent or break down (i.e., fraud) are shared throughout the class. The session is required in order to receive the RIT Accounting Practices, Procedures and Protocol Certificate of Completion. However, anyone interested in learning about internal controls and fraud prevention is welcome to attend.

To learn more about these important topics, sign up for a session at the CPD website.

The next upcoming training session of Internal Controls & Fraud in the Workplace is: Wednesday, January 15, 2020, 1:30-4:00 p.m., Louise Slaughter Hall, Rm 2140

Unit-Level Risk Assessment: How to Advance Your Organization’s Agility

The first step towards successfully managing risk is to implement an effective risk assessment methodology. Risk assessment is a systematic process for identifying and evaluating both external and internal events (risks) that could affect the achievement of objectives, positively or negatively. During this 2.5 hour class, we will discuss the key components of an effective risk assessment process and how to integrate it into the business process to provide timely and relevant risk information to management. To learn more about this offering, see the corresponding CPD website.

The next upcoming training session of Unit-Level Risk Assessment is: Wednesday, April 22, 2020, 1:30-4:00 p.m., Louise Slaughter Hall, Rm 2140

Additional Information by IACA

Pop Quiz Challenge

Correctly answer the question below and you will be entered in a random drawing to win a prize valued at $15. The winner will be notified by email. https://www.rit.edu/fa/iaca/content/quiz

Congrats to Lisa Hann, the winner from our last issue!

How can departments best ensure a positive audit outcome and strengthen their control environment?

  1. Establish, implement, and follow sound policies, procedures, & practices.
  2. Use good judgment in areas that might not be covered by policy.
  3. Maintain thorough and detailed documentation to support transactions.
  4. All of the above.

Watch IACA’s Monday Minute video series here!
Our video series focuses on opportunities for improving internal controls and increasing awareness of various university processes, policies, and protocols. If you have questions, feel free to contact anyone in the IACA office using information on our web-page.

Just to name a few, past topics include: Travel Policy changes, FERPA Regulations, RIT’s Ethics & Compliance Hotline, Records Management Policy, Risk Assessment, and many others.

What about ethics in the workplace?
Learn about the RIT Ethics and Compliance Hotline

IACA Team
Learn more about your IACA team.