Northeastern University Internal Audit Department Control Self-Assessment Purpose This tool is designed to help individual departments evaluate their internal control environment and identify areas of risk and opportunity for improvement. A strong internal control environment can better position a department to achieve compliance, financial and operational objectives. By using this tool, departments will find suggestions for generally good business practices that will increase efficiency and effectiveness within the department's internal control environment. Procedures: How to Complete this Assessment All questions should be answered by yes, no, not sure, or n/a. Use the "Describe Control / Comment" area to document the control by describing the department's business process or procedure, or why no control exists. By thoroughly considering the questions, you will be evaluating your control environment against sound business practices. We encourage you to engage your entire team into the exercise to brainstorm for those areas of opportunity and to share the experience. If you would like to obtain more information about any of the questions in the Control Self-Assessment or if you would like the Internal Audit department to verify the results of your Control Self-Assessment, please contact Internal_Audit@neu.edu http://www.northeastern.edu/internalaudit Internal Control Self-Assessment Questionnaire Department: Date: Name: Phone: Email: Organizational Governance / Control Environment 1 Are individuals1 in your department sufficiently familiar with the Northeastern University Policy Page that addresses issues related to financial matters, and the use of information and related technology and regulatory compliance? 2 Are individuals in your department reviewing the Conflict of Interest Policy and completing the Conflict of Interest form on an annual basis? 3 Are individuals in your department familiar with how to report violations of law or policy, including the University's confidential compliance hotline? 4 Does your department have an organizational chart that defines lines of authority and responsibility? 5 Is the organizational chart updated when necessary? 6 Has your department documented internal policies and procedures that are specific to the department related to performing all significant administrative and financial processes? 7 Are these policies and procedures updated, when necessary? Information Security, Confidentiality and Data Privacy 1 1 Yes No Not Sure N/A Describe Control / Comment Yes No Not Sure N/A Describe Control / Comment Does your department have its own system/information technology support staff? Individuals include faculty, staff, contractors, temporary employees, and student employees. 2 2 Are individuals in your department familiar with the Northeastern University IS Help Desk function? 3 Do all individuals in your department use University owned and approved workstations and laptops with the latest virus protection? 4 Do individuals in your department utilize the Q Drive or Sharepoint for all information that is sensitive and needs to be backed-up and stored off-site? 5 Do all individuals in your department maintain unique user accounts for key systems, and passwords are kept confidential? 6 Are individuals in your department aware of how to change their password and encouraged to change their password at least annually? 7 Are individuals in your department "logging off" and locking their computer prior to stepping away from their computer? 8 Are individuals in your department familiar with the VPN software that should be utilized when faculty/staff is connecting to University resources from home/outside NEU's network? 9 Does your department track software inventory and licenses? 10 Has a disaster recovery/business continuity plan been developed for your department? 11 If answered "yes" to #10, has the disaster recovery / business continuity plan been tested by faculty/staff? 12 Are individuals in your department familiar with the Northeastern University Policy on Appropriate Use of Computer and Network Resources? 3 13 Does your department properly maintain documentation (either manually or electronically) containing any of the following confidential data elements that are considered to be "personally identifiable" information that could be used to commit identity theft? (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account, etc. 14 Are individuals in your department who are responsible for handling Personally Identifiable Information familiar with Massachusetts Data Protection Laws (MA201 CMR 17.00), the University Appropriate Use Policy, and Policy on Retention and Disposition of University Records? 15 Does your department properly maintain documentation "electronically" that includes private and/or confidential information about student, faculty/staff, donors, clinical patients, research participants, etc? (Note - please list the groups in the comment section) 16 Does your department properly maintain "hard copy" documentation that includes private and/or confidential information about student, faculty/staff, donors, clinical patients, research participants, etc? (Note - please list the groups in the comment section) 17 Are documents which contain private and/or confidential information restricted to appropriate faculty/staff? Purchasing 1 Yes For purchases over $10,000, are competitive bids obtained and purchase orders utilized? 4 No Not Sure N/A Describe Control / Comment 2 Are all contracts and agreements submitted to the Office of General Counsel for legal review, and are all insurance requirements reviewed by the Office of Risk Services? 3 Are Northeastern's preferred vendors routinely used (office supplies, office furniture, scientific supplies, temporary staffing, etc.)? 4 Are purchases pre-approved by supervisors as necessary? 5 Are purchases sufficiently documented to support appropriate University use? 6 Are invoices compared to receiving reports, packing slips and purchase orders? 7 Do individuals in your department ensure that sales tax is not included on all purchases? 8 Is there adequate segregation of duties between purchasing, approving the purchase, receiving and paying? Corporate Credit Card 1 Prior to the launch of the Concur system, was there a formal reconciliation process established for each cardholder to reconcile his or her monthly Procard statements with receipts and invoices? 2 If answered “Yes” to the question above, are ProCard statements still retained in accordance with the university retention schedule (7 year period)? 3 Are individuals in your department sufficiently familiar with the Concur Travel & Expense Management System? Have cardholders received training on the University's policies and procedure before receiving a card? Has a formal reconciliation process been established for each cardholder to reconcile his or her corporate credit card statements with receipts and invoices? (Note – please provide role classifications in comment section or email to Internal Audit representative) 4 5 Yes 5 No Not Sure N/A Describe Control / Comment 6 Are receipts or other documentation submitted to the reviewer and signed-off for approval on a monthly or quarterly basis? 7 Is there a process to identify and correct incomplete reconciliations? 8 Are individuals in your department aware that split orders to avoid approvals are prohibited? 9 Is the corporate card only used by the authorized cardholder? 10 Is the corporate card kept in a secure location to which only the cardholder has access? 11 Are stolen or lost corporate cards reported immediately? 12 If capital assets are purchased on the corporate card, is it reported to the Accounting Office? 13 Are corporate cards collected from terminated or transferred employees? Travel and Reimbursement 1 2 Yes Are individuals in your department sufficiently familiar with the Travel & Expense Reimbursement Policy? Are reimbursement processes clearly established (e.g. receipts, business purpose, deadlines, approval)? 3 Are travel plans made sufficiently in advance to obtain the most favorable transportation rates? 4 Are direct supervisors notified of all employee travel plans and provided with both a complete travel itinerary and emergency contact number prior to departure? 5 Are all requests for business and entertainment expenses documented in terms of how the activity was University or business related, including a listing of attendees (with titles)? 6 Are all lodging accommodations at a reasonable cost, comfortable and convenient to the place of business? 6 No Not Sure N/A Describe Control / Comment 7 Are automobile rentals only used when absolutely necessary to conduct business, not as a faculty/staff convenience and only rented for the specific time needed? 8 Do approvers feel they have and can exercise their authority to deny reimbursement for nonUniversity business expenditures? Budget Reconciliation 1 Are funding sources evaluated annually to assess the sustainability of current funding levels? 2 Does the budget process include key members of management? 3 Has an individual been assigned responsibility to each department budget including operating, overhead, grants, discretionary and agency accounts? 4 Is the assigned individual to each budget responsible for reviewing and signing-off of department's monthly Banner financial reports to signify approval? 5 Does appropriate segregation of duties exist for budget expenditures and reconciliations? (The same individual should not process budget transfers, process expenses, and perform reconciliations. If this does occur, a manager should be responsible to review all budget transactions on an ongoing basis). 6 Are managers held accountable for keeping the spending within the budgetary limits? Are un-reconciled financial transactions researched and corrected in a reasonable period of time? 7 Revenue Collection 1 If your department collects cash, checks, or credit card payments, please briefly describe from whom the payments are collected from and for what purpose. 7 Yes No Not Sure N/A Describe Control / Comment Yes No Not Sure N/A Describe Control / Comment 2 Does adequate segregation of duties exist within the department between individuals responsible for receiving, depositing and reconciling cash and checks? 3 Are cash receipt logs maintained to create supporting documentation to which you can reconcile deposits? 4 Are deposits of funds made on the day the funds were received or the next business day? 5 Are cash and checks safeguarded in a locked area prior to deposit? 6 Is credit card information retained? (Note – If yes, please detail how information is stored in the comment section.) 7 Are cash and checks adequately protected when transferred to the Cashier's Office or bank? 8 Is there adequate physical security where cash handling activity occurs? 9 Are receipts given when cash or checks are delivered in person? Building and Office Security 1 Have all concerns about the safety of the building(s) been brought to the attention of the individuals or group responsible for building safety (e.g. lack of building exit routes, trained safety monitors, regular evacuation drills)? 2 Does the department have an emergency action plan and all faculty/staff have been trained to know how to respond to emergency situations such as a fire? 3 Have individuals who work in laboratories and/or handle hazardous materials received all required training? 4 Is the use of department space by outside groups limited and coordinated with the department head? Yes 8 No Not Sure N/A Describe Control / Comment 5 Does the department maintain an up-to-date inventory control log of all department keys/cards and their assignment to individuals? 6 When an individual is terminated, are keys/cards collected immediately and access to the building is denied? 7 Are OneCard access privileges for locks within the department periodical review to ensure only authorized individuals have access? 8 Does the department have an inventory of temporary access cards? If yes, is their use and distribution tacked? 9 Are departmental users with administrative privileges to the One Card system (CS Gold) tracked and monitored for appropriate use? Inventory Control 1 2 No Not Sure N/A Describe Control / Comment Yes No Not Sure N/A Describe Control / Comment Are inventory items and fixed assets maintained in a secure location with access to only authorized faculty/staff? As your department acquires and/or retires assets, do you periodically obtain the listing of capital assets from Property Accounting and review for accuracy and completeness? 3 Have formal procedures been established to ensure that inventory items and fixed assets are not being used for personal use? 4 Are inventory items and fixed assets over $5,000 easy to locate, properly tagged and in good condition? 5 Is a physical inventory conducted at least annually? Human Resources Hiring 1 Yes Are individuals in your department who are responsible for hiring familiar with the Background Checks and Credential Verification Policy? 9 2 Are supervisors in your department familiar with the HRM Onboarding Checklist? 3 Are applicants tracked in the system of records? 4 Are individuals in your department who are responsible for hiring familiar with the Electronic I9 Employment Eligibility Verification & E-Verify Policy? (Note - Paper I-9 forms should no longer be maintained in departments.) 5 Are new hires encouraged to attend new hire orientation meetings? 6 Are new hires trained on University polices? Payroll 1 Are payroll records and confidential files restricted to authorized individuals? 2 Are individuals in your department trained to perform assigned roles and responsibilities to support payroll processing (time reporter, time keeper, approver, adjuster)? 3 Are overtime hours submitted and approved each week for overtime-eligible employees, including temporary? Are payroll distribution reports monitored to identify extra-compensation, sponsored research, un-submitted time, unapproved time, miscoding etc.? 4 5 Do temporary staff employees adhere to the University's policy regarding the hiring and use of temporary employees? 6 Are payroll errors identified and corrected or communicated to the payroll processor on a timely basis? 7 Are changes in wages submitted to payroll timely to minimize retroactive payments? Faculty/Staff Management 10 Yes No Not Sure N/A Describe Control / Comment Yes No Not Sure N/A Describe Control / Comment 1 Are performance goals and objectives discussed and agreed to by staff and supervisor at the beginning of the performance year? 2 Are annual performance reviews conducted and documented? Are sufficient training opportunities provided to improve faculty/staff work related competencies? 3 Termination 1 Does management utilize the HRM Off-Boarding Checklist when employees are terminated? 2 Do individuals in your department return University property prior to termination (e.g. keys, ID cards, laptops, corporate credit card(s), research, etc.?) Are payroll forms submitted in sufficient time to prevent overpayment to terminated employees? 3 4 5 2 3 Not Sure N/A Describe Control / Comment Yes No Not Sure N/A Describe Control / Comment Yes No Not Sure N/A Describe Control / Comment Is a member of the department assigned to track vacation and sick time? Sample vacation & sick time tracking tools are available on the HRM website here. Is correspondence with staff maintained to ensure accurate vacation, sick and personal time records in order to not go over the limit? Does management encourage staff to take vacation? 4 Does the department head approve all vacation time? 5 Is abuse of vacation, sick or personal time reported? Sponsored Research 1 No Is access to University computer networks denied immediately (e.g. Banner access, Q-share drive access, email, etc.)? Are exit interviews conducted? Vacation and Sick Benefits 1 Yes Are principal investigators familiar with their roles and responsibilities for award management? 11 2 Is documentation on grant requirements, restrictions and budgets maintained by the department? 3 Have procedures been put into place to document compliance if there is cost sharing? 4 Are regular meetings planned with the PI to review the rate of expenditures and forecast budget and planning? 5 Are budget reconciliations performed and reviewed monthly (or at least quarterly) so that, if needed, fraudulent expenses are corrected and/or cost transfers are processed within a timely manner? Are principal investigators familiar with their roles and responsibilities for effort reporting, as seen in the University’s Policy on Effort Reporting? 6 7 Have accounts been prepared for closeout and inactivation pursuant to the University Research Grant Closeout Balance Policy? 8 Are all research protocols using animals (including teaching protocols) reviewed and approved by the University Institutional Animal Care and Use Committee (NU-IACUC), whether or not they are funded by an outside source? Are all research protocols using human subjects (including teaching protocols) reviewed and approved by the Institutional Review Board (IRB), whether or not they are funded by an outside source? 9 Laboratory Safety 1 Are faculty/students familiar with policies and procedures governing environmental health and safety in the laboratory? 2 Does management monitor and ensure all laboratory personnel/students have received appropriate and/or required training? 3 Are chemical inventories accurately maintained? Yes 12 No Not Sure N/A Describe Control / Comment