Northeastern University
Internal Audit
Department Control Self-Assessment
Purpose
This tool is designed to help individual departments evaluate their internal control environment and identify
areas of risk and opportunity for improvement. A strong internal control environment can better position a
department to achieve compliance, financial and operational objectives.
By using this tool, departments will find suggestions for generally good business practices that will increase
efficiency and effectiveness within the department's internal control environment.
Procedures: How to Complete this Assessment
All questions should be answered by yes, no, not sure, or n/a. Use the "Describe Control / Comment" area
to document the control by describing the department's business process or procedure, or why no control
exists.
By thoroughly considering the questions, you will be evaluating your control environment against sound
business practices. We encourage you to engage your entire team into the exercise to brainstorm for those
areas of opportunity and to share the experience.
If you would like to obtain more information about any of the questions in the Control Self-Assessment or if
you would like the Internal Audit department to verify the results of your Control Self-Assessment, please
contact Internal_Audit@neu.edu
http://www.northeastern.edu/internalaudit
Internal Control Self-Assessment Questionnaire
Department:
Date:
Name:
Phone:
Email:
Organizational Governance /
Control Environment
1
Are individuals1 in your department sufficiently
familiar with the Northeastern University Policy
Page that addresses issues related to financial
matters, and the use of information and related
technology and regulatory compliance?
2
Are individuals in your department reviewing the
Conflict of Interest Policy and completing the
Conflict of Interest form on an annual basis?
3
Are individuals in your department familiar with
how to report violations of law or policy, including
the University's confidential compliance hotline?
4
Does your department have an organizational
chart that defines lines of authority and
responsibility?
5
Is the organizational chart updated when
necessary?
6
Has your department documented internal policies
and procedures that are specific to the
department related to performing all significant
administrative and financial processes?
7
Are these policies and procedures updated, when
necessary?
Information Security, Confidentiality and Data Privacy
1
1
Yes
No
Not
Sure
N/A
Describe Control / Comment
Yes
No
Not
Sure
N/A
Describe Control / Comment
Does your department have its own
system/information technology support staff?
Individuals include faculty, staff, contractors, temporary employees, and student employees.
2
2
Are individuals in your department familiar with
the Northeastern University IS Help Desk function?
3
Do all individuals in your department use
University owned and approved workstations and
laptops with the latest virus protection?
4
Do individuals in your department utilize the Q
Drive or Sharepoint for all information that is
sensitive and needs to be backed-up and stored
off-site?
5
Do all individuals in your department maintain
unique user accounts for key systems, and
passwords are kept confidential?
6
Are individuals in your department aware of how
to change their password and encouraged to
change their password at least annually?
7
Are individuals in your department "logging off"
and locking their computer prior to stepping away
from their computer?
8
Are individuals in your department familiar with
the VPN software that should be utilized when
faculty/staff is connecting to University resources
from home/outside NEU's network?
9
Does your department track software inventory
and licenses?
10
Has a disaster recovery/business continuity plan
been developed for your department?
11
If answered "yes" to #10, has the disaster recovery
/ business continuity plan been tested by
faculty/staff?
12
Are individuals in your department familiar with
the Northeastern University Policy on Appropriate
Use of Computer and Network Resources?
3
13
Does your department properly maintain
documentation (either manually or electronically)
containing any of the following confidential data
elements that are considered to be "personally
identifiable" information that could be used to
commit identity theft?
(a) Social Security number;
(b) driver's license number or state-issued
identification card number; or
(c) financial account number, or credit or debit
card number, with or without any required
security code, access code, personal identification
number or password, that would permit access to
a resident’s financial account, etc.
14
Are individuals in your department who are
responsible for handling Personally Identifiable
Information familiar with Massachusetts Data
Protection Laws (MA201 CMR 17.00), the
University Appropriate Use Policy, and Policy on
Retention and Disposition of University Records?
15
Does your department properly maintain
documentation "electronically" that includes
private and/or confidential information about
student, faculty/staff, donors, clinical patients,
research participants, etc? (Note - please list the
groups in the comment section)
16
Does your department properly maintain "hard
copy" documentation that includes private and/or
confidential information about student,
faculty/staff, donors, clinical patients, research
participants, etc? (Note - please list the groups in
the comment section)
17
Are documents which contain private and/or
confidential information restricted to appropriate
faculty/staff?
Purchasing
1
Yes
For purchases over $10,000, are competitive bids
obtained and purchase orders utilized?
4
No
Not
Sure
N/A
Describe Control / Comment
2
Are all contracts and agreements submitted to the
Office of General Counsel for legal review, and are
all insurance requirements reviewed by the Office
of Risk Services?
3
Are Northeastern's preferred vendors routinely
used (office supplies, office furniture, scientific
supplies, temporary staffing, etc.)?
4
Are purchases pre-approved by supervisors as
necessary?
5
Are purchases sufficiently documented to support
appropriate University use?
6
Are invoices compared to receiving reports,
packing slips and purchase orders?
7
Do individuals in your department ensure that
sales tax is not included on all purchases?
8
Is there adequate segregation of duties between
purchasing, approving the purchase, receiving and
paying?
Corporate Credit Card
1
Prior to the launch of the Concur system, was
there a formal reconciliation process established
for each cardholder to reconcile his or her monthly
Procard statements with receipts and invoices?
2
If answered “Yes” to the question above, are
ProCard statements still retained in accordance
with the university retention schedule (7 year
period)?
3
Are individuals in your department sufficiently
familiar with the Concur Travel & Expense
Management System?
Have cardholders received training on the
University's policies and procedure before
receiving a card?
Has a formal reconciliation process been
established for each cardholder to reconcile his or
her corporate credit card statements with receipts
and invoices? (Note – please provide role
classifications in comment section or email to
Internal Audit representative)
4
5
Yes
5
No
Not
Sure
N/A
Describe Control / Comment
6
Are receipts or other documentation submitted to
the reviewer and signed-off for approval on a
monthly or quarterly basis?
7
Is there a process to identify and correct
incomplete reconciliations?
8
Are individuals in your department aware that split
orders to avoid approvals are prohibited?
9
Is the corporate card only used by the authorized
cardholder?
10
Is the corporate card kept in a secure location to
which only the cardholder has access?
11
Are stolen or lost corporate cards reported
immediately?
12
If capital assets are purchased on the corporate
card, is it reported to the Accounting Office?
13
Are corporate cards collected from terminated or
transferred employees?
Travel and Reimbursement
1
2
Yes
Are individuals in your department sufficiently
familiar with the Travel & Expense Reimbursement
Policy?
Are reimbursement processes clearly established
(e.g. receipts, business purpose, deadlines,
approval)?
3
Are travel plans made sufficiently in advance to
obtain the most favorable transportation rates?
4
Are direct supervisors notified of all employee
travel plans and provided with both a complete
travel itinerary and emergency contact number
prior to departure?
5
Are all requests for business and entertainment
expenses documented in terms of how the activity
was University or business related, including a
listing of attendees (with titles)?
6
Are all lodging accommodations at a reasonable
cost, comfortable and convenient to the place of
business?
6
No
Not
Sure
N/A
Describe Control / Comment
7
Are automobile rentals only used when absolutely
necessary to conduct business, not as a
faculty/staff convenience and only rented for the
specific time needed?
8
Do approvers feel they have and can exercise their
authority to deny reimbursement for nonUniversity business expenditures?
Budget Reconciliation
1
Are funding sources evaluated annually to assess
the sustainability of current funding levels?
2
Does the budget process include key members of
management?
3
Has an individual been assigned responsibility to
each department budget including operating,
overhead, grants, discretionary and agency
accounts?
4
Is the assigned individual to each budget
responsible for reviewing and signing-off of
department's monthly Banner financial reports to
signify approval?
5
Does appropriate segregation of duties exist for
budget expenditures and reconciliations? (The
same individual should not process budget
transfers, process expenses, and perform
reconciliations. If this does occur, a manager
should be responsible to review all budget
transactions on an ongoing basis).
6
Are managers held accountable for keeping the
spending within the budgetary limits?
Are un-reconciled financial transactions
researched and corrected in a reasonable period of
time?
7
Revenue Collection
1
If your department collects cash, checks, or credit
card payments, please briefly describe from whom
the payments are collected from and for what
purpose.
7
Yes
No
Not
Sure
N/A
Describe Control / Comment
Yes
No
Not
Sure
N/A
Describe Control / Comment
2
Does adequate segregation of duties exist within
the department between individuals responsible
for receiving, depositing and reconciling cash and
checks?
3
Are cash receipt logs maintained to create
supporting documentation to which you can
reconcile deposits?
4
Are deposits of funds made on the day the funds
were received or the next business day?
5
Are cash and checks safeguarded in a locked area
prior to deposit?
6
Is credit card information retained? (Note – If yes,
please detail how information is stored in the
comment section.)
7
Are cash and checks adequately protected when
transferred to the Cashier's Office or bank?
8
Is there adequate physical security where cash
handling activity occurs?
9
Are receipts given when cash or checks are
delivered in person?
Building and Office Security
1
Have all concerns about the safety of the
building(s) been brought to the attention of the
individuals or group responsible for building safety
(e.g. lack of building exit routes, trained safety
monitors, regular evacuation drills)?
2
Does the department have an emergency action
plan and all faculty/staff have been trained to
know how to respond to emergency situations
such as a fire?
3
Have individuals who work in laboratories and/or
handle hazardous materials received all required
training?
4
Is the use of department space by outside groups
limited and coordinated with the department
head?
Yes
8
No
Not
Sure
N/A
Describe Control / Comment
5
Does the department maintain an up-to-date
inventory control log of all department keys/cards
and their assignment to individuals?
6
When an individual is terminated, are keys/cards
collected immediately and access to the building is
denied?
7
Are OneCard access privileges for locks within the
department periodical review to ensure only
authorized individuals have access?
8
Does the department have an inventory of
temporary access cards? If yes, is their use and
distribution tacked?
9
Are departmental users with administrative
privileges to the One Card system (CS Gold)
tracked and monitored for appropriate use?
Inventory Control
1
2
No
Not
Sure
N/A
Describe Control / Comment
Yes
No
Not
Sure
N/A
Describe Control / Comment
Are inventory items and fixed assets maintained in
a secure location with access to only authorized
faculty/staff?
As your department acquires and/or retires assets,
do you periodically obtain the listing of capital
assets from Property Accounting and review for
accuracy and completeness?
3
Have formal procedures been established to
ensure that inventory items and fixed assets are
not being used for personal use?
4
Are inventory items and fixed assets over $5,000
easy to locate, properly tagged and in good
condition?
5
Is a physical inventory conducted at least
annually?
Human Resources Hiring
1
Yes
Are individuals in your department who are
responsible for hiring familiar with the Background
Checks and Credential Verification Policy?
9
2
Are supervisors in your department familiar with
the HRM Onboarding Checklist?
3
Are applicants tracked in the system of records?
4
Are individuals in your department who are
responsible for hiring familiar with the Electronic I9 Employment Eligibility Verification & E-Verify
Policy? (Note - Paper I-9 forms should no longer be
maintained in departments.)
5
Are new hires encouraged to attend new hire
orientation meetings?
6
Are new hires trained on University polices?
Payroll
1
Are payroll records and confidential files restricted
to authorized individuals?
2
Are individuals in your department trained to
perform assigned roles and responsibilities to
support payroll processing (time reporter, time
keeper, approver, adjuster)?
3
Are overtime hours submitted and approved each
week for overtime-eligible employees, including
temporary?
Are payroll distribution reports monitored to
identify extra-compensation, sponsored research,
un-submitted time, unapproved time, miscoding
etc.?
4
5
Do temporary staff employees adhere to the
University's policy regarding the hiring and use of
temporary employees?
6
Are payroll errors identified and corrected or
communicated to the payroll processor on a timely
basis?
7
Are changes in wages submitted to payroll timely
to minimize retroactive payments?
Faculty/Staff Management
10
Yes
No
Not
Sure
N/A
Describe Control / Comment
Yes
No
Not
Sure
N/A
Describe Control / Comment
1
Are performance goals and objectives discussed
and agreed to by staff and supervisor at the
beginning of the performance year?
2
Are annual performance reviews conducted and
documented?
Are sufficient training opportunities provided to
improve faculty/staff work related competencies?
3
Termination
1
Does management utilize the HRM Off-Boarding
Checklist when employees are terminated?
2
Do individuals in your department return
University property prior to termination (e.g. keys,
ID cards, laptops, corporate credit card(s),
research, etc.?)
Are payroll forms submitted in sufficient time to
prevent overpayment to terminated employees?
3
4
5
2
3
Not
Sure
N/A
Describe Control / Comment
Yes
No
Not
Sure
N/A
Describe Control / Comment
Yes
No
Not
Sure
N/A
Describe Control / Comment
Is a member of the department assigned to track
vacation and sick time? Sample vacation & sick
time tracking tools are available on the HRM
website here.
Is correspondence with staff maintained to ensure
accurate vacation, sick and personal time records
in order to not go over the limit?
Does management encourage staff to take
vacation?
4
Does the department head approve all vacation
time?
5
Is abuse of vacation, sick or personal time
reported?
Sponsored Research
1
No
Is access to University computer networks denied
immediately (e.g. Banner access, Q-share drive
access, email, etc.)?
Are exit interviews conducted?
Vacation and Sick Benefits
1
Yes
Are principal investigators familiar with their roles
and responsibilities for award management?
11
2
Is documentation on grant requirements,
restrictions and budgets maintained by the
department?
3
Have procedures been put into place to document
compliance if there is cost sharing?
4
Are regular meetings planned with the PI to review
the rate of expenditures and forecast budget and
planning?
5
Are budget reconciliations performed and
reviewed monthly (or at least quarterly) so that, if
needed, fraudulent expenses are corrected and/or
cost transfers are processed within a timely
manner?
Are principal investigators familiar with their roles
and responsibilities for effort reporting, as seen in
the University’s Policy on Effort Reporting?
6
7
Have accounts been prepared for closeout and
inactivation pursuant to the University Research
Grant Closeout Balance Policy?
8
Are all research protocols using animals (including
teaching protocols) reviewed and approved by the
University Institutional Animal Care and Use
Committee (NU-IACUC), whether or not they are
funded by an outside source?
Are all research protocols using human subjects
(including teaching protocols) reviewed and
approved by the Institutional Review Board (IRB),
whether or not they are funded by an outside
source?
9
Laboratory Safety
1
Are faculty/students familiar with policies and
procedures governing environmental health and
safety in the laboratory?
2
Does management monitor and ensure all
laboratory personnel/students have received
appropriate and/or required training?
3
Are chemical inventories accurately maintained?
Yes
12
No
Not
Sure
N/A
Describe Control / Comment