Quaestor Volume 20, Issue 1

Principle 1: Demonstrate Integrity – Internal auditors must demonstrate integrity in their work and behavior.

• Standard 1.1 Honesty and Professional Courage – Internal auditors must be truthful, accurate, clear, open, and respectful in all professional relationships and communications, even when expressing skepticism or offering an opposing viewpoint.
• Standard 1.2 Organization’s Ethical Expectations – Internal auditors must encourage and promote an ethics-based culture in the organization.
• Standard 1.3 Legal and Ethical Behavior – Internal auditors must understand and abide by the laws and/or regulations relevant to the industry and jurisdictions in which the organization operates, including making disclosures as required.

Examples of Conformance:

• IACA staff have professional certifications which require annual continuing professional education, including specific ethics related training.
• Annual performance evaluations are completed for all IACA staff members and include an assessment of their demonstration of RIT divisional core values including collaboration, integrity, and respect.
• Client satisfaction surveys are sent to clients after each audit engagement including questions related to whether IACA staff demonstrated a professional and constructive approach.
• IACA promotes a culture of ethics, responsibility, and accountability within the university community by providing regularly scheduled trainings (i.e., Internal Control and Fraud in the Workplace).

Principle 2: Maintain Objectivity – Internal auditors must maintain an impartial and unbiased attitude when performing internal audit services and making decisions.

• Standard 2.1 Individual Objectivity – Internal auditors must maintain professional objectivity when performing all aspects of internal audit services.  Professional objectivity requires internal auditors to apply an impartial and unbiased mindset and make judgements based on balanced assessments of all relevant circumstances.
• Standard 2.2 Safeguarding Objectivity – Internal auditors must recognize and avoid or mitigate actual, potential, and perceived impairments to objectivity.
• Standard 2.3 – Disclosing Impairments to Objectivity – If objectivity is impaired in fact or appearance, the details of the impairment must be disclosed promptly to the appropriate parties.

Examples of Conformance:

• IACA reports functionally to the Risk and Audit Committee of the Board of Trustees, allowing staff members to remain free of influence by any element in the university, including matters of audit selection, scope, procedures, frequency, timing, or report content.
• IACA staff may not develop nor install systems or procedures, prepare records, or engage in any other activity which would normally be audited.  However, IACA staff may perform advisory services without impairing their independence provided those services remain consultative and not operational in nature.
• IACA staff members are required to disclose any potential, real, or perceived conflicts of interest on an annual basis both as part of RIT’s Individual Conflict of Interest and Commitment process and through an internal conflict of interest/related party reporting process.

Principle 3: Demonstrate Competency – Internal auditors must apply the knowledge, skills, and abilities to fulfill their roles and responsibilities successfully.

• Standard 3.1 Competency – Internal auditors must possess or obtain the competencies to perform their responsibilities successfully.  The required competencies include the knowledge, skills, and abilities suitable for one’s job position and responsibilities commensurate with their level of experience. 
• Standard 3.2 Continuing Professional Development – Internal auditors must maintain and continually develop their competencies to improve the effectiveness and quality of internal audit services.  Internal auditors must pursue continuing professional development including education and training.

Examples of Conformance:

• All members of the IACA staff hold professional certifications.  IACA staff track and maintain evidence of their continuing education attendance to support compliance with their certification requirements. IIA staff are members of several professional organizations which offer training, best practices, and benchmarking resources.

Principle 4: Internal auditors must apply due professional care in planning and performing internal audit services.

• Standard 4.1 Conformance with the Global Internal Audit Standards – Internal auditors must plan and perform internal audit services in accordance with the Global Internal Audit Standards.
• Standard 4.2 Due Professional Care – Internal auditors must exercise due professional care by assessing the nature, circumstances, and requirements of the services to be provided.
• Standard 4.3 Professional Skepticism – Internal auditors must exercise professional skepticism when planning and performing internal audit services.

Examples of Conformance:

• IACA has implemented a Quality Assurance Program which consists of internal post-engagement review of workpapers for compliance with IACA policies and procedures, an annual internal self-assessment of compliance with professional standards and a periodic self-assessment with independent external validation of compliance with professional standards (every 5 years).

Principle 5: Maintain Confidentiality – Internal auditors must use and protect information appropriately.

• Standard 5.1 Use of Information – Internal auditors must follow the relevant policies, procedures, laws, and regulations when using information.  The information must not be used for personal gain or in a manner contrary or detrimental to the organization’s legitimate and ethical objectives.
• Standard 5.2 Protection of Information – Internal auditors must be aware of their responsibilities for protecting information and demonstrate respect for the confidentiality, privacy, and ownership of information acquired when performing internal audit services or as the result of professional relationships.

Examples of Conformance:

• IACA staff members are required to take RIT Cybersecurity Fundamentals and Information Handling trainings on an annual basis.
• All IACA staff members sign a confidentiality agreement on an annual basis.
• Audit reports are circulated through a secured platform (Tiger File Exchanger) ensuring that the information is only accessible to those involved in the audit process.

In the next edition of the Quaestor, IACA will explore the 9 standards that fall under the 3 principles in Domain III: Governing the Internal Audit Function which outline the requirements for the chief audit executive to work closely with the Board of Trustees and senior management to establish the internal audit function, position it independently, and oversee its performance.

¹ Global Internal Audit Standards, The Institute of Internal Auditors ©2024

Many universities, including RIT, actively incorporate GenAI into daily operations. Tools such as AI-assisted writing become integral to the workflow, enabling faculty and staff to reduce repetitive tasks and enhance efficiency. However, it is crucial to maintain the privacy and ethical standards upheld by RIT during this integration. To achieve a successful implementation of GenAI, faculty and staff should engage with the technology thoughtfully, ensuring they remain aware of their obligations to safeguard sensitive information while reaping the benefits of improved productivity.

GenAI Data Concerns

GenAI tools can inadvertently expose sensitive data. Users must be mindful of the types of information they input into AI platforms. As RIT employees use GenAI, understanding the classification of information becomes increasingly important. RIT classifies information into four categories: “public,” “internal,” “private,” and “confidential.”. The RIT information handling and services matrix helps users determine what information they can share with AI tools. Officially-supported GenAI tools at RIT have enhanced data protection. Public and Internal Use information may be input into these tools. For other GenAI tools, only input Public information.

As we integrate GenAI tools into daily activities, it’s important to remember that AI is a tool, not a source of information. Responsibility lies with the user to ensure that the data entered is accurate and secure, and any use of AI generated information should be checked by the user.

Also, be cautious when downloading other GenAI tools or libraries. Malicious actors may disguise their malware under popular names. Always verify the reputation and source of the package you are installing to avoid compromising your data. 

Understanding RIT-Licensed AI Tools and Their Configurations

RIT licenses GenAI tools, including Microsoft Copilot, to support the community in day-to-day tasks. These tools feature configurations that:

• Prohibit sharing of sensitive data.
• Ensure compliance with RIT policies on data classification and security.
• Safeguard data against breaches or unauthorized access using encryption.

RIT is currently evaluating various GenAI tools to ensure that security is taken into consideration. While tools like ChatGPT offer a strong first-mover advantage, they may not always meet RIT’s security requirements, making it important to weigh the tradeoffs between security and usability when selecting tools for use (Collison). 

Best Practices for Using GenAI

Be aware of the information you input into GenAI. Always exercise caution when entering personally identifiable information (PII) or organizational sensitive data into AI systems. Although RIT-licensed tools aim to mitigate risks, you are responsible for the information you provide to the tools and how you use the information the tools provide.

Follow RIT’s Generative AI guidelines. When necessary, refer to RIT’s data classification standards and adhere to these guidelines when using GenAI tools to maintain privacy and compliance. Avoid sharing student records, employee data, and confidential research with AI platforms. Whenever possible, data anonymization techniques should be used when dealing with data input in GenAI.

You can find the RIT Classification Matrix at https://www.rit.edu/security/rit-information-handling-and-services-matr…, and RIT Information Handling Resources at https://www.rit.edu/security/information-handling-resources. For general RIT Generative AI guidelines, including do’s and don’ts, visit https://www.rit.edu/security/generative-ai. 

It is important to shift the perception of AI from being a “toy” to a serious tool for improving academic and administrative outcomes (Collison). As part of RIT’s commitment to responsible AI use, this shift involves creating awareness around the potential of GenAI while also emphasizing best practices.

As AI use grows, you must remain vigilant about the potential risks associated with data misuse. Understanding the available tools and following the outlined best practices allows you to explore AI’s benefits while keeping sensitive data secure and protected.

Includes Collison, Christopher. Interview. Conducted by Sophia Larson, 28 Feb. 2025.

Microsoft Copilot assisted with structuring this article.

It may be surprising to know, that RIT has tax compliance obligations for 8 (eight) different types of tax, in 57 (fifty-seven) jurisdictions, remitting just under a $100M of tax payments each year.

Like many universities across the country, the tax function at RIT resided within the Controller’s Office, specifically with the Financial Reporting team.  As RIT grew, a dedicated tax team became necessary, and in 2024 a Tax Department was established within CTO. This transition marked a significant milestone, requiring a concerted team effort to establish and develop the department.

It is very exciting to share with this readership the tax team members, their backgrounds, and their areas of focus and expertise here at RIT.  To learn more and connect with this new team live, join us on March 25th, as the Tax Department will host the CTO Community of Practice, featuring “A Day in the Life” presentations and a Q&A session.

Meet the Team:

• Anthony Palmiotto: Executive Director since June 2024, with a background in public accounting and corporate taxation. Anthony is a CPA with a BS and MBA from Fairleigh Dickinson University, and a Master’s of Tax from Villanova University. He provides strategic leadership for tax reporting, compliance, planning, and advisory. avpcto@rit.edu

• Benjamin Graniero: Financial Reporting Analyst since May 2024, focusing on income tax and the university’s endowment. Ben came to RIT from a regional public accounting firm.  Ben is a CPA with a BS from St. John Fisher University and a Master of Taxation from the University of Denver. btgcto@rit.edu

• Robert (Bob) Spring: Financial Reporting Analyst that transitioned from the Payroll Department in December 2024, specializing in payroll tax. Bob has over eleven years of experience at RIT and previously worked in payroll tax at a regional telecommunication company. Bob holds a BA from St. John Fisher University. rtspay@rit.edu

• Murielle Christophe: Joined in January 2025 as a Financial Reporting Analyst, covering sales and other indirect taxes. Murielle has over fifteen years of experience in tax compliance and internal controls, with a background in financial services and consulting. She is a Certified Internal Controls Auditor and holds a BA and an MBA from Sacred Heart University. maccto@rit.edu

• Yash Sewpal: Student worker who joined the team in August 2024, assists across all tax workstreams with a focus on metrics, analytics, and process documentation. Yash earned a BS from RIT and is currently completing his MS at RIT. yrscto@rit.edu

Current Focus:

The Tax Department’s primary function is to support the University community with all tax matters and to ensure the University complies with all tax reporting and remittance obligations.

This new team has worked extensively to expand on that primary responsibility to include providing a positive customer experience for all members of the university community.  We are proud of some of our recently completed initiatives aimed at delivering customer delight:

• Rebuilding the Tax Department webpage to provide timely and useful tax information. (https://www.rit.edu/controller/taxes)
• Redesigning the sales tax exemption page to improve the customer experience. (https://www.rit.edu/controller/sales-tax-exemption)
• Utilizing shared email boxes for efficient communication: taxdept@rit.edu for income tax inquiries, payrolltax@rit.edu for payroll tax inquiries, and salestax@rit.edu for sales tax inquiries.

Future Plans:

Looking into 2025 and beyond, the team is excited to tackle the following projects:

• Shifting some tax workstreams to the RIT Service Center in 2025.
• Developing a new solution for gifts given in 2025.
• Assisting in Implementing Workday in January 2026.
• Modernizing tax reporting processes to better serve CTO, Finance & Administration, and the university at large.

Thank you very much for taking the time to learn a little bit more about this new team, and we hope you join us on March 25^th for the CTO Community of Practice.  Please never hesitate to reach out to any of us individually, or through our shared mailboxes—we are always here to help!