Quaestor Volume 19, Issue 2

The New Global Internal Audit Standards(TM)

Contributed by: Nancy Nasca, Associate Director, Institute Audit, Compliance and Advisement

On January 9, 2024, the Institute of Internal Auditors (IIA), a global professional association that leads the internal audit profession released the new Global Internal Audit StandardsTM (the Standards).1   

These standards replace the 2017 International Professional Practices Framework and go into effect on January 9, 2025.  The Standards are a set of principles and requirements that guide the practice of internal auditing around the world.

The Standards guide the worldwide professional practice of internal auditing and serve as a basis for evaluating and elevating the quality of the internal audit function.  The Standards are organized into five domains and 15 guiding principles:

  • Domain I: Purpose of Internal Auditing – Internal auditing strengthens the organization’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight.
  • Domain II: Ethics and Professionalism
    • Principle 1: Demonstrate Integrity – Internal auditors must demonstrate integrity in their work and behavior.
    • Principle 2: Maintain Objectivity – Internal auditors must maintain an impartial and unbiased attitude when performing internal audit services and making decisions.
    • Principle 3: Demonstrate Competency – Internal auditors must apply the knowledge, skills, and abilities to fulfill their roles and responsibilities successfully.
    • Principle 4: Internal auditors must apply due professional care in planning and performing internal audit services.
    • Principle 5: Maintain Confidentiality – Internal auditors must use and protect information appropriately.
  • Domain III: Governing the Internal Audit Function
    • Principle 6: Authorized by the Board – The board of trustees establishes, approves, and supports the mandate of the internal audit function.
    • Principle 7: Positioned Independently – The board of trustees establishes and protects the internal audit function’s independence and qualifications.
    • Principle 8: Overseen by the Board – The board of trustees oversees the internal audit function to ensure the function’s effectiveness.
  • Domain IV: Managing the Internal Audit Function
    • Principle 9: Plan Strategically – The chief audit executive plans strategically to position the internal audit function to fulfill its mandate and achieve long-term success.
    • Principle 10: Manage Resources – The chief audit executive manages resources to implement the internal audit function’s strategy and achieve its plan and mandate.
    • Principle 11: Communicate Effectively – The chief audit executive guides the internal audit function to communicate effectively with its stakeholders.
    • Principle 12: Enhance Quality – The chief audit executive is responsible for the internal audit function’s conformance with the Global Internal Audit Standards and continuous performance improvement.
  • Domain V: Performing Internal Audit Services
    • Principle 13: Plan Engagement’s Effectively – Internal auditors must plan each engagement using a systematic, disciplined approach.
    • Principle 14: Conduct Engagement Work – Internal auditors must implement the engagement work program to achieve the engagement objectives.
    • Principle 15: Communicate Engagement Results and Monitor Action Plans – Internal auditors must communicate the engagement results to the appropriate parties and monitor management’s progress toward the implementation of recommendations or action plans.

Each of the 15 principles are supported by standards that contain requirements, considerations for implementation, and examples of evidence of conformance.   In addition, there are topical requirements that are designed to enhance the consistency and quality of internal audit services related to specific audit subjects (e.g., cybersecurity) and to support internal auditors performing engagements in those risk areas.  In future editions of the Quaestor, IACA will further explore the 52 standards that help internal auditors to achieve the principles and fulfill the purpose of internal auditing.

1 Global Internal Audit StandardsTM , The Institute of Internal Auditors ©2024

Admin Rights: What You Need to Know

Contributed by: Ben Woelk, Governance, Awareness, and Training Manager

Written by: Heela Safy, Cybersecurity Communications Specialist

The Power You Hold: Admin Rights, Privileged Users, and Security

What are Administrative Rights?

Admin rights give users elevated control over a computer system or network, allowing them to do important tasks such as installing or uninstalling software, changing system settings, managing user accounts, and accessing restricted files. These elevated privileges are provided ONLY to those who require them, such as system administrators or IT personnel, in order to maintain the system's integrity and security.

Administrative rights, also known as privileged access, are limited to specific users in order to prevent unintentional configuration errors, security breaches, or unauthorized access to critical data.

Why Does Who has Admin Rights Matter?

In a university setting, managing admin rights is crucial. Universities handle a large amount of sensitive data, including student records, research data, and financial information. A compromised administrator account can cause breaches, data loss, and even system-wide outages.

Do I Need Administrative Rights?

Before requesting admin rights, consider the potential risks and whether they are truly necessary for your role. Administrative access comes with significant responsibility, and asking for it without a legitimate, critical need can introduce unnecessary risks to the entire system. Here’s why you should think twice:

  • IT Staff Responsibilities: Admin rights are primarily for IT personnel who manage core university systems and networks. They are responsible for safeguarding the system’s integrity and security. If you're not in this role, you generally don’t need admin access.
  • Research or Specialized Work: Only in rare, highly specialized cases—might admin access be justified. Even then, it must go through proper channels for approval, ensuring that all risks are understood and managed.
  • Risk of System Instability: Misusing admin rights can lead to unintentional damage, such as corrupting system settings or causing major security vulnerabilities. This could result in system failures or even require a full reinstallation, leading to data loss, downtime, and serious consequences for you and the institution.

If you don’t absolutely need admin rights, do not ask for them. It's better to let IT staff handle tasks like system management and software installation to ensure everything is done securely and in compliance with university policies.

Here’s what you can do without admin rights:

  • Routine Work: Most everyday tasks, such as writing papers, sending emails, and accessing course materials, do not require admin access. These activities can be performed safely and efficiently with a standard user account.
  • Automated Updates: Many applications and system updates are managed through back-end management tools at RIT. These systems ensure that software is kept up to date without the need for individual users to have admin rights, allowing for a secure and streamlined process.

Privileged Users

Every faculty or staff member at RIT who has administrative rights or who accesses Confidential or Private Information is defined as a privileged user.

Requirements for Privileged Users

All privileged users must complete RIT’s Information Handling Course. This training covers key aspects such as:

  • Proper data classification and handling.
  • Techniques for securing private and confidential information.
  • Regulatory compliance related to data privacy and security.

All RIT users, including privileged users, must understand and follow the Information Security Policy C08.1 and its related standards, such as the Desktop and Portable Computer Standard, and the RIT Code of Conduct for Computer and Network Use C08.2. These documents define the ethical and legal duties for the proper use of RIT's computing resources and the safeguarding of digital assets.

Admin Rights Approval Process

Admin rights are only provided to RIT faculty and staff with a business justification and the approval of their dean or VP, as well as their IT management team. To gain admin rights, users must follow a strict approval process and provide:

Justification for Privileges: Users must demonstrate a valid need for elevated privileges.  The needs are reviewed on a case-by-case basis and may involve conversations with the IT management team as well as the Dean or VP.

VP or Dean, and IT Support Approval: Admin rights cannot be granted without the approval of a direct supervisor and IT Support. The IT staff checks that the request follows organizational standards and security protocols.

Security and compliance checks: Before privileges are provided, the system must meet all security criteria, such as up-to-date software patches, antivirus protection, and adequate backup configurations, to help ensure that users with administrative rights do not jeopardize the system or other RIT Information Resources.

For More Information:

The Importance of Timekeeping: Paying Employees Correctly and On Time

Contributed byEllen Fustanio, Executive Director, Payroll

The University’s workforce plays a vital role in achieving its strategic goals and fulfilling its mission to educate students. The Payroll team works diligently to ensure that all employees are paid correctly and on time.

For employees who are paid hourly, accurate timekeeping is the cornerstone of this process. As a manager, your active participation in timekeeping is essential to ensure employees are paid correctly and for the University to comply with legal and regulatory requirements. Here are some best practices to help you manage timekeeping effectively:

Timekeeping for non-exempt employees

  • Timekeeping System: The timekeeping system used at RIT is Kronos. The best way to learn how to use Kronos to view your employee’s time entries and to run reports that will assist you in reviewing payroll information for non-exempt staff in your department is to take the online Timekeeping course available through Talent-roadmap.
  • Onboarding: When onboarding a new hourly employee, review timekeeping procedures, including how to use the clock and the importance of using the closest time clock to their work location.
  • Clocking In/Out: Non-exempt staff swipe their badge at the clock. Student employees use their University ID (UID) and Job ID.

Using the time clocks

  • Accuracy: Using a time clock to punch in and out is the most accurate method for collecting time.
  • Availability: There are 63 time clocks around campus, locations can be found in this Knowledge Base Article - Timeclocks on campus, accessible through the RIT Service Center (RSC).
  • Recording Time: Ensure employees record actual time worked.

Recording absences and meal breaks

  • Recording time off: Supervisors are responsible for entering approved time off on employee timecards, as these cannot be recorded at the clock.
  • Break Requirements: In compliance with State and Federal labor laws, employees should punch in and out for meal breaks. Meal breaks must be at least 30 minutes for shifts of 6 or more hours. For shifts lasting 10 hours or longer, an additional 30-minute break is required.

Who is approving time cards?

  • Supervisors: Time worked should be reviewed and approved by the supervisor even if the supervisor does not complete the sign-off process. If you are a supervisor and you are responsible for completing the sign off process, review your employees’ time entries to make sure they are complete and accurate. If you rely on a designated person in your department to complete the sign-off process, ensure you know who that person is and how you, as the supervisor, can review and approve time entries so the designated approver can complete the process and sign-off on your behalf.
  • Designated departmental employee completing sign-off, not the supervisor: If you are approving for a supervisor, ensure you have documentation to support the supervisor’s review and approval of the time recorded prior to completing the sign off process.
  • Back-up approvers: Departments should have a backup who can complete the sign-off process.
  • Training: Approvers (supervisors and/or departmental approvers) need to complete the Kronos (Timekeeping system) training available in the Talent Roadmap.
  • Changing Approvers: If you need to change your departmental approver, submit a ticket through the RIT Service Center, link to request here Kronos supervisor access request .

When is the Approval Deadline?

  • Sign-Off Day: The Friday following the close of the period is the sign-off day. Mark this on your calendar.
  • Review Timecards: Take time to review your employee’s timecards. If you have questions about recorded time, reach out to your employee for follow-up and corrections as needed.
  • Payroll Schedule: The payroll schedule can be found on the Controller’s Office website: Controller/payroll-schedules.

Making Changes After Approval

  • Requesting Changes: If you need to make changes after approval, you can request to remove a timecard signoff by entering an RSC Ticket.
  • Common Errors: The most common timekeeping errors are overlapping punches and missed punches in/out. These will lead to reminder notifications and incorrect and/or untimely pay for employees unless corrected.
  • Proactive Review: Regularly review employee timecards, discuss any issues your employees, and correct them before sign-off day.
  • Authorization: Edits to timecards require an authorization form signed by the employee. Timecard Change Authorization form is available on the Controller’s website. This process should be used sparingly as it points to errors in the process that need to be addressed in your department. If you find yourselves using this form regularly and would like help in reviewing your process, reach out to payroll@rit.edu and someone will connect with you to assist.

For additional information, refer to Knowledge Base Articles in the RIT Service Center, and the Controller’s Office and HR websites.

Thank you for your attention to this important matter. If you have any questions or need further assistance, please contact payroll@rit.edu , and one of our payroll professionals will be happy to help.

Training Opportunities Provided by IACA

Internal Controls and Fraud in the Workplace

During the 2.5 hour Internal Controls and Fraud in the Workplace class, the importance of, components of, and the responsibility for establishing and maintaining effective internal controls are discussed. Various examples of what can happen when controls are non-existent or break down (i.e., fraud) are shared throughout the class. The session is required in order to receive the RIT Accounting Practices, Procedures and Protocol Certificate of Completion. However, anyone interested in learning about internal controls and fraud prevention is welcome to attend.

To learn more about these important topics, sign up for a session in the RIT Talent Roadmap.

The next training sessions of Internal Controls & Fraud in the Workplace are:

  • Tuesday November 12, 2024, 9:00 AM - 11:30 AM - Location: Louise Slaughter Hall, Room 2140
  • Thursday January 9, 2025, 9:00 AM - 11:30 AM - Location: Louise Slaughter Hall, Room 2140

Unit Level Risk Assessment—How to Advance Your Organization’s Agility

The first step towards successfully managing risk is to implement an effective risk assessment methodology. Risk assessment is a systematic process for identifying and evaluating both external and internal events (risks) that could affect the achievement of objectives, positively or negatively. During this 2.5 hour class, we will discuss the key components of an effective risk assessment process and how to integrate it into the business process to provide timely and relevant risk information to management.

The next training session of Unit Level Risk Assessment is:

  • Wednesday October 23, 2024, 1:00 PM - 3:30 PM - Location: Louise Slaughter Hall, Room 2140

To learn more about these important topics, sign up for a session in the RIT Talent Roadmap.

Additional Information by IACA

Pop Quiz ChallengeCongrats to Kim Eldridge, Senior Staff Specialist, Kate Gleason College of Engineering (KGCOE) Industrial and Systems Engineering, our last winner!

Correctly answer the question below to be entered in a drawing to win a prize valued at $15. The winner is chosen randomly and notified by email. 

 

Which one of the following is NOT one of the 15 principles in the new IIA Global Internal Audit Standards?

  1. Internal auditors must maintain an impartial and unbiased attitude when performing internal audit services and making decisions.
  2. Internal auditing strengthens the organization’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight.
  3. Auditors must provide Unit Level Risk Assessment and Internal Control and Fraud in the Workplace trainings.
  4. The board of trustees establishes and protects the internal audit function’s independence and qualifications. 

Click here to submit your answer.

Watch IACA’s Monday Minute video series here!
Our video series focuses on opportunities for improving internal controls and increasing awareness of various university processes, policies, and protocols. If you have questions, feel free to contact anyone in the IACA office using information on our webpage. Just to name a few, past topics include: Travel Policy changes, FERPA Regulations, RIT’s Ethics & Compliance Hotline, Records Management Policy, Risk Assessment and many others.

What about ethics in the workplace?
Learn about the RIT Ethics and Compliance Hotline

IACA Team
Learn more about your IACA team.