basic departmental internal controls presented by the office of internal audit 2010 office of...

Basic Departmental Internal Controls

Presented byThe Office of Internal Audit

2010

Office of Internal AuditOffice of Internal AuditIntegrity ∙ Accountability ∙ SecurityIntegrity ∙ Accountability ∙ Security


Basic Control Assessment Report

Our training today is going to focus on the fifteen areas reviewed in the report


Fifteen Key Areas

13. SPONSORED RESEARCH 14. INFORMATION SECURITY15. General Administration

& FLEET CARD


A. RECONCILIATION OF ACCOUNT BALANCES

See policy “Account Reconciliation”, 61.01


• Reconciliation methods will vary depending on the size of the department and/or the account being reconciled.

• All reconciliations should be supported by a Banner ledger report such as

FWREXEG or FWREXDP.



FWREXEG 1. Documentation exists to support timely reconciliation of departmental accounts on a consistent basis.

Must be:

1. Timely;

2. Supported by detailed ledger report;

3. Reconciled consistently.



FWREXEG 2. Documentation exists to support … reviewed … timely … by the … department head, designee, or principal investigator.

Must be:

1. Signed by reconciler;

2. Signed by reviewer;

Without Documentation (I.E. signature) cannot verify that review took place.


What is the purpose of review?

The purpose of reviewing a reconciliation or any other document is to ensure the document appears accurate.

Therefore, the reviewer should be someone who was knowledgeable regarding the area being presented and would be able to identify errors or irregularities.


FWREXDP Same requirements apply for non-E&G (I.E., timely, detailed, consistent).

Except, “…principal investigators should always review their own (research) account reconciliations”. – OP 61.01

Required to ensure compliance with OMB A-21 and OMB A-133.



3. Departmental account fund balances appear adequately provided for without significant deficits.

We and departments should be concerned about:

1. Accounts with significant deficits.

2. Accounts with negative change without expectation of relief.

FZICHFB

-200,000.00

100,000.00

-100,000.00

-300,000.00



B. LEAVE

See policies:

• HRM 60-201;

and

• AOP 13.13

Applies to all employees, faculty and staff.


B. LEAVE

1. All eligible employees appear to be reporting leave usage.

Being reviewed by our office during assessments and annually university wide.

The authorizing or taking leave without the completion and submission of appropriate leave forms is considered a misuse of assets (policy 01.19) and would be subject to disciplinary action.

Each department should have one individual responsible for reviewing/ reconciling leave processed/input to leave reported in Banner.


B. LEAVE

2. Documentation exists to support that leave usage and balances are reviewed timely.

Must have documentation of review/reconciliation.

Should be initialed by reviewer.

- Errors in leave balances are found in many of our control assessments!


B. LEAVE

2. Documentation exists to support that leave usage and balances are reviewed timely.

Must have documentation that the leave of the individual responsible for processing leave is also reviewed.


B. LEAVE

3. Documentation exists to support independent review of the processor's leave.

Must have documentation of review such as reconciliation initialed or signed by department head or designee.

Based on federal/state law, rules and regs.


C. RECORDS OF HOURS WORKED

1. Time sheets/cards are maintained by the department for all non-exempt employees.

Non-exempt employees include: - Clerical/Secretarial - Technical/Paraprofessional - Skilled Crafts - Service/Maintenance - Temporary Employees

Generally any employee that shows up on the Post-Time Entry report that is printed after entering time.


1. Time sheets/cards are maintained by the department for all non-exempt employees.

PERS requires a time record for all rehired retirees.

Non exempt retirees use standard time report.

Exempt retirees would use Rehired Retiree Work Record (Both forms located on HRM website).



2. Time sheets/cards appear accurate and include the recording of both leave and compensatory time.

Leave and comp time forms should be compared to timesheets to ensure they agree.



3/4. Time sheets/cards are signed and dated by the employee/ supervisor after the time period being reported.

Signatures document agreement as to the hours worked.



D. PAYROLL PROCESS

In our review/assessment of the payroll process our main objective is to ensure that hourly employees are paid for the hours worked and recorded on the timesheets.

This should not be to the exclusion of salaried/exempt employees pay. If possible all pay should be reconciled, including that of salaried/exempt employees.


D. PAYROLL PROCESS (Timesheet to Ledger)

1. Documentation exists to support that time sheets are reconciled to Post Time Entry Reports.

Timesheet showing 5.25 hours


1. Documentation exists to support that time sheets are reconciled to Post Time Entry Reports.

Timesheet 5.25 hours

Post-Time Entry Report 5.25 hours



2. Documentation exists to support that Post Time Entry Reports are reconciled to Payroll Vouchers.

Post-Time Entry Report 5.25 hours

Payroll Voucher 5.25 hours for total pay of $30.71



3. Documentation exists to support that Payroll Vouchers are reconciled to Banner.

Payroll Voucher 5.25 hours for total pay of $30.71

Ledger Report pay of $30.71



(Timesheet to Ledger)

D. PAYROLL PROCESS

No Payroll Voucher?

1.Reconcile directly from Post-Time Entry Report (PTER) to Banner; or

2.Use Banner report PWRDSPV or PWRVOCC


4. Payroll duties appear to be adequately separated.

The more duties are separated the better the internal controls. At a minimum, two persons should be involved in the payroll process.

Note – Time sheets should not be delivered for input by the employee or student represented. After reviewing and signing, the supervisor should forward timesheets for processing.

D. PAYROLL PROCESS


E. COMPENSATORY TIME BALANCES

1. Documentation exists to support that compensatory time balances are reconciled by one individual.

Comp balances should be reconciled to time sheets and documentation retained/maintained by one individual.

Each employee that accrues comp time should not be responsible with keeping up with their own comp time.


2. Documentation exists to support that the reconciler’s compensatory time balance is reviewed.

Many times the individual responsible for maintaining comp balances also accrues comp time. If so, someone else should review their comp balance.

- Review documented by reviewers initials.



Departments are HIGHLY encouraged to maintain compensatory time balances in Banner.

This provides a centralized and uniform process that provides greater internal control.



F. CASH ON HAND

1. Documentation exists to support that cash on hand is properly reconciled.

Petty cash or change funds must be reconciled in a timely manner and accurately reflect amounts indicated in Banner.

If you receive cash how do you make change unless you have a change fund?- University funds used for change must be

recorded in Banner.


2. Cash appears to be adequately safeguarded.

Change funds and cash receipts should be kept secure, preferably locked away in a fireproof safe or file cabinet.

F. CASH ON HAND


G. CASH RECEIPTS/HANDLING

See the “Cash Handling” policy 62.07


1. Documentation exists to support that cash receipts are reconciled to Banner.

Account reconciliation should include the reconciliation of cash receipts. However, during our control assessments we have noted most departments reconcile expenditures but few reconcile cash.

Documentation of cash received, especially currency or checks received directly by the department, should be reconciled from receipt documentation (cash receipt form, cash log, etc.) to BANNER.



2. A pre-numbered receipt, cash log, register tape, or etc. is used to document cash received.

Must have some documentation that provides accurate record of funds received in order to reconcile.



3. Cash is physically safeguarded in a secured area until deposit.

As was stated with change funds, cash receipts should be kept secure, preferably locked away in a fireproof safe or file cabinet.

Cash receipts should be deposited weekly or when balance reaches $200, whichever comes first. (OP 62.07)



Note – Because of the “liquid” nature of cash this area may receive more scrutiny than any other during a control assessment.

It is highly recommended for individual departments to get out of the cash (includes

currency and checks) collection business if at all possible. If cash is being collected from students other alternatives should be considered such as direct charges to student’s accounts receivable instead of receiving cash.



I. PROCUREMENT/FLEET CARD

1. Card transactions are adequately supported and reconciled to bank statements.

Someone needs to be looking at the transactions on the statement and comparing them to actual vendor receipts to make sure they appear appropriate.

Once again, need documentation, I.E., initials of reconciler, tick marks, and supporting documents.


FLEET CARDS

We are now including a review of fleet card transactions in our control assessments. This includes any fuel cards Shell, Chevron, BP, Fuelman.

• Will need detailed statements that show what was purchased, when purchased, quantity, and price.• Should be supported by detailed receipts.• Should be tied to a specific vehicle and or other use. (For vehicles should be tied to vehicle log).

We must be able to prove/verify that purchase was made for the use/benefit of university.


2. Documentation exists to support review of card journal entries and statements.

This is a review by someone other than the reconciler.

Must be documented (Bank/credit card statement also initialed by reviewer)

Reviewer must be knowledgeable about what should or shouldn’t be purchased/charged on the card and should question unusual purchases.


This includes Fleet/Gas Card Statements


3. A sign in sheet, containing adequate information, is maintained to record card users.

The need for and/or amount of information necessary on a sign in sheet depends on the number of individuals allowed to use a given procurement card the frequency of transactions.

Should include who, what, when(date & time), where, why, and how much.

- documentation must be adequate to determine who made a particular purchase and why it is a legitimate University purchase.



4. All cards are kept in a secure place such as a locked drawer or file cabinet.

Yes you can take it out to use, but keep it safe, don’t carry it around when you don’t need it.

Don’t carry on weekends or on vacation or even overnight if you don’t have to!!



J. LONG DISTANCE PHONE CHARGES

1. Documentation exists to support that statements are reviewed by the responsible employee.

Employees responsible for LDS number should review.

Each Employee making long distance calls should have their own unique LDS number.


2. Documentation exists to support that statements are reviewed by the department head/designee.

Department head or designee should review.

Need to document by signing or initialing statement.

J. LONG DISTANCE PHONE CHARGES


K. PROPERTY MANAGEMENT

1. Documentation exists to support annual observation of inventory by someone other than or in addition to the inventory representative.

Adequate internal controls require having more than one person involved in custody/monitoring/ processing of assets.


1. Documentation exists to support annual observation of inventory by someone other than or in addition to the inventory representative.

At least once a year someone other than the person normally responsible, should make sure everything can be accounted for!

We recommend this be done during the physical inventory required by receiving and property control. Once again, must be documented (I.E., have inventory observer sign the property report). (person should be involved in observation process)



2. Documentation exists to support the use of Hand Receipts for the removal of property off campus.

When it is necessary to remove equipment from assigned department in order to conduct official University business, a hand receipt should be kept on file by the department with a copy forwarded to R&PC. This includes cell phones and laptops. (MSU Property Manual)

The idea is to be able to either produce the actual property item or documentation of where it is at all times.



3. Documentation exists to support independent observation when processing Hand Receipts.

Whenever a hand receipt is issued, the inventory representative must physically observe the equipment in question.

This includes when initial hand receipt is issued or when it is updated every twelve months. (I.E. independent verification of the property).



4. Documentation exists to adequately support vehicle fuel and maintenance expenditures.How much does it cost to operate and maintain your departments vehicle?

A fuel and maintenance log should be kept for each vehicle that records all related expenditures. This should include the type (fuel, oil, repair) and the cost.

The log should include the odometer reading (mileage) when the expenditure took place.


Vehicle log books are now available from Receiving and Property Control

K. FLEET MANAGEMENT


5. Documentation exists to support adherence to Fleet Management Guidelines.How many of you new we even had Fleet Management Guidelines?

Located @ http://www.procurement.msstate.edu

Documentation would include appropriate vehicle records, employee vehicle use forms.



1. Documentation exists to support the maintenance of an accurate record of keys issued and periodic analysis of missing keys to ensure adequate

security.

When was the last time your office, suite, building and/or facility was keyed or rekeyed?

Can you account for all keys issued? Are people, property, and information adequately secured?

L. FACILITIES MANAGEMENT


L. FACILITIES MANAGEMENT1. Documentation exists to support the maintenance

of an accurate record of keys issued and periodic analysis of missing keys to ensure adequate

security.

Each department should have a current and accurate list of all keys issued to the department (and keys issued by the department to employees) to ensure that all keys can be accounted for and to help reduce the chance that access to sensitive/restricted areas could be gained by unauthorized persons.


M. SPONSORED RESEARCH1. Documentation exists to support the timely, accurate completion of Confirmation of Effort reports by someone with a suitable means of verification that the work was performed.This is a federal regulation (OMB A-21).

“Suitable means of verification” is straight out of OMB A-21. This infers that the individual signing the form has received definitive and verifiable confirmation from the individual performing the work or from an individual that has specific knowledge of the work. Verification should be accompanied by written documentation.


M. SPONSORED RESEARCH1. Documentation exists to support the timely, accurate completion of Confirmation of Effort reports by someone with a suitable means of verification that the work was performed.

Therefore, the person signing the confirmation should either be the individual represented, the Principle Investigator, or someone with documented verification as to the effort being reported.


M. SPONSORED RESEARCH1. Documentation exists to support the timely, accurate completion of Confirmation of Effort reports by someone with a suitable means of verification that the work was performed.

If you have non-exempt employees being charged to sponsored projects then timesheets must provide sufficient documentation as to how much time was spent on a specific project. Additional care should be taken if individual work on multiple projects during a given time period.


N. INFORMATION SECURITY1. Sensitive information appears to be adequately secured.

Sensitive Information would include but is not limited to:• Social Security Numbers• Credit Card Numbers• Patient medical records• Financial records (donor, student, employee)• Personnel/Human Resources records• Student records (scores, transcripts, etc.)• Passwords, access codes, encryption keys• Research data


N. INFORMATION SECURITY1. Sensitive information appears to be adequately secured.

For any sensitive info:• Access should be limited to only with those with a need to know.

• Physical (paper) documents should be kept safe and locked in a secure area.

• Departmental policy should require password protection on computers and encryption software on laptops.

• Local area networks should be properly secured.


N. INFORMATION SECURITY2. Documentation exists to support compliance with information security policies.

Policies in question would include:

Information Security Policy, 01.10

Social Security Number Usage, 01.23


N. INFORMATION SECURITY2. Documentation exists to support compliance with information security policies.

By July of 2006, the SSN will no longer be used as the primary identifier of individuals associated with MSU….. - (Social Security Number Usage, 01.23)

So quit using it for:- Time Sheets- EAFS (other than original employment)

- Travel - Any other document where it is not required!


N. INFORMATION SECURITY2. Documentation exists to support compliance with information security policies.At this point the control assessments focus mainly on the “Social Security Number Usage” policy, 01.23, which requires the following forms for the following situations:- Form SSN01 for storing SSNs in computer system. - Form SSN02 for generating files and reports with SSNs. - Form SSN03 for transmitting unencrypted SSNs off campus. - Form SSN04 for employees with electronic access to SSNs.- Form SSN05 for solicitation of SSNs.- "Employee SSN Confidentiality Statement” for employees with access to SSNs. (Will apply to almost all departments since if you hire employees you will have to get SSNs for payroll/tax purposes).


N. INFORMATION SECURITY3. Documentation exists to support compliance with software licensing agreements.

Per OP 01.12, “Examples of inappropriate and unacceptable use of computing and networking resources….violation of software license agreements” .

Departments must have proof of ownership/license agreements for software used on university computers. Documentation could include actual license agreement or copy of vendor invoice.

University (ITS) does not maintain license for departments even for some software “pushed” or accessed from the super server.


N. INFORMATION SECURITY4. Documentation exists to support completion of information security training by appropriate persons.

Per MSU’s Information Security Program, all employees who have access to sensitive information must complete the online information security certification.

Internal Audit can and will run a report that tells us who has and has not completed said certification.

The certification can be found on the onCampus website under the “Office” tab.

Departments can monitor their employee’s completion of the certification by running banner report PWRISTL.


O. GENERAL ADMINISTRATION1. Current desk manual exists for critical departmental

controls and procedures.

We recommend that a desk manual be developed detailing critical procedures in the event of hiring a new employee or temporary worker substituting for an absent employee.

We recommend that the manual detail tasks to be completed daily and tasks completed periodically/monthly with recommended timelines. The manual should be reviewed periodically with any changes noted.


O. GENERAL ADMINISTRATION2. Required postings of information maintained within department..

Whistleblower poster.

During assessments we will request to see where these postings are displayed.


Record Retention

There is no official MSU or IHL retention Policy.

We recommend for most documents such as department copies of purchases, invoices, ledgers, procard statements and support, and etc:

Current Year plus three prior.


Record Retention

Specific HR/Payroll Guidance (HRM 60-109):

Departmental Employee File If a department maintains a departmental employee file, upon the employee’s separation, the file must be forwarded to HRM.

Leave Records Copies of Application for Leave and associated documents will be retained for four calendar years. Leave records older than four years will be destroyed.

Time Records Departments who have non-exempt employees should retain the employee time sheets for a minimum of four years.


Record Retention

Exceptions:Any documents that support sponsored/externally funded expenditures must be retained according to the grant/contract/authoritative document. May be longer than 3 or 4 years.

Need to talk to Registrar regarding student files and Provost regarding faculty files.

basic departmental internal controls presented by the office of internal audit 2010 office of...

Documents

policy account reconciliation

information security

compensatory time balances

detailed ledger report

purpose of review

banner ledger report

significant deficits

department head