Basic Departmental
Internal Controls
Presented by
The Office of Internal Audit
2010
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
Basic
Control
Assessment
Report
Our training
today is going
to focus on the
fifteen areas
reviewed in the
report
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
Fifteen Key Areas
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
RECONCILIATION OF ACCOUNT BALANCE
LEAVE
RECORDS OF HOURS WORKED
PAYROLL PROCESS
COMPENSATORY TIME BALANCES
CASH ON HAND
CASH RECEIPTS/HANDLING
APPROVAL
PROCUREMENT CARD & FLEET CARD
LONG DISTANCE / CELL PHONE CHARGES
PROPERTY MANAGEMENT
FACILITIES MANAGEMENT
SPONSORED RESEARCH
INFORMATION SECURITY
General Administration
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
A. RECONCILIATION OF ACCOUNT
BALANCES
See policy “Account
Reconciliation”, 61.01
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
A. RECONCILIATION OF ACCOUNT
BALANCES
•
Reconciliation methods will vary
depending on the size of the department
and/or the account being reconciled.
•
All reconciliations should be supported by
a Banner ledger report such as
FWREXEG or FWREXDP.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
A. RECONCILIATION OF ACCOUNT
BALANCES
FWREXEG
1. Documentation
exists to support
timely reconciliation
of departmental
accounts on a
consistent basis.
Must be:
1. Timely;
2. Supported by
detailed ledger
report;
3. Reconciled
consistently.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
A. RECONCILIATION OF ACCOUNT
BALANCES
FWREXEG
2. Documentation
exists to support …
reviewed … timely …
by the … department
head, designee, or
principal investigator.
Must be:
1. Signed by
reconciler;
2. Signed by
reviewer;
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
Without Documentation
(I.E. signature) cannot
verify that review took
place.
What is the purpose of review?
The purpose of reviewing a reconciliation or
any other document is to ensure the
document appears accurate.
Therefore, the reviewer should be someone
who was knowledgeable regarding the area
being presented and would be able to
identify errors or irregularities.
A. RECONCILIATION OF ACCOUNT
BALANCES
FWREXDP
Same requirements apply for
non-E&G (I.E., timely,
detailed, consistent).
Except, “…principal
investigators should always
review their own (research)
account reconciliations”.
– OP 61.01
Required to ensure
compliance with OMB A-21
and OMB A-133.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
A. RECONCILIATION OF ACCOUNT
BALANCES
3. Departmental
account fund balances
appear adequately
provided for without
significant deficits.
FZICHFB
-200,000.00
100,000.00
-100,000.00
-300,000.00
We and departments
should be concerned
about:
1. Accounts with
significant deficits.
2. Accounts with
negative change
without expectation
of relief.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
B. LEAVE
See policies:
• HRM 60-201;
and
• AOP 13.13
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
B. LEAVE
1. All eligible employees appear to be reporting
leave usage.
Applies to all employees, faculty and staff.
Being reviewed by our office during
assessments and annually university wide.
The authorizing or taking leave without the
completion and submission of appropriate leave
forms is considered a misuse of assets (policy
01.19) and would be subject to disciplinary
action.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
B. LEAVE
2. Documentation exists to support that leave usage
and balances are reviewed timely.
Each department should have one individual
responsible for reviewing/ reconciling leave
processed/input to leave reported in Banner.
Must have documentation of review/reconciliation.
Should be initialed by reviewer.
- Errors in leave balances are found in many of
our control assessments!
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
B. LEAVE
2. Documentation exists to support that leave usage
and balances are reviewed timely.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
B. LEAVE
3. Documentation exists to support independent
review of the processor's leave.
Must have documentation that the leave of the
individual responsible for processing leave is
also reviewed.
Must have documentation of review such as
reconciliation initialed or signed by department
head or designee.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
C. RECORDS OF HOURS WORKED
1. Time sheets/cards are maintained by the
department for all non-exempt employees.
Based on federal/state law, rules and regs.
Non-exempt employees include:
- Clerical/Secretarial
- Technical/Paraprofessional
- Skilled Crafts
- Service/Maintenance
- Temporary Employees
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
C. RECORDS OF HOURS WORKED
1. Time sheets/cards are maintained by the
department for all non-exempt employees.
Generally any employee that shows up on the
Post-Time Entry report that is printed after
entering time.
PERS requires a time record for all rehired
retirees.
Non exempt retirees use standard time report.
Exempt retirees would use Rehired Retiree
Work Record (Both forms located on HRM
website).
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
C. RECORDS OF HOURS WORKED
2. Time
sheets/cards
appear
accurate and
include the
recording of
both leave and
compensatory
time.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
Leave and
comp time
forms should
be compared
to timesheets
to ensure
they agree.
C. RECORDS OF HOURS WORKED
3/4. Time
sheets/cards
are signed and
dated by the
employee/
supervisor
after the time
period being
reported.
Signatures
document
agreement as
to the hours
worked.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
D. PAYROLL PROCESS
In our review/assessment of the payroll
process our main objective is to ensure that
hourly employees are paid for the hours
worked and recorded on the timesheets.
This should not be to the exclusion of
salaried/exempt employees pay. If possible
all pay should be reconciled, including that of
salaried/exempt employees.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
D. PAYROLL PROCESS (Timesheet to Ledger)
1. Documentation exists to support that time sheets
are reconciled to Post Time Entry Reports.
Timesheet
showing
5.25 hours
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
D. PAYROLL PROCESS (Timesheet to Ledger)
1. Documentation exists to support that time sheets
are reconciled to Post Time Entry Reports.
Timesheet
5.25 hours
Post-Time
Entry
Report 5.25
hours
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
D. PAYROLL PROCESS (Timesheet to Ledger)
2. Documentation exists to support that Post Time
Entry Reports are reconciled to Payroll Vouchers.
Post-Time
Entry
Report 5.25
hours
Payroll
Voucher
5.25 hours
for total pay
of $30.71
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
D. PAYROLL PROCESS (Timesheet to Ledger)
3. Documentation exists to support that Payroll
Vouchers are reconciled to Banner.
Ledger
Report pay
of $30.71
Payroll
Voucher
5.25 hours
for total pay
of $30.71
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
D. PAYROLL PROCESS
(Timesheet to Ledger)
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
No Payroll Voucher?
1. Reconcile directly from Post-Time Entry
Report (PTER) to Banner; or
2. Use Banner report PWRDSPV or
PWRVOCC
D. PAYROLL PROCESS
4. Payroll duties appear to be adequately
separated.
The more duties are separated the better the
internal controls. At a minimum, two persons
should be involved in the payroll process.
Note – Time sheets should not be delivered for
input by the employee or student represented.
After reviewing and signing, the supervisor should
forward timesheets for processing.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
E.
COMPENSATORY TIME BALANCES
1. Documentation exists to support that compensatory
time balances are reconciled by one individual.
Comp balances should be reconciled to time
sheets and documentation retained/maintained
by one individual.
Each employee that accrues comp time should
not be responsible with keeping up with their
own comp time.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
E.
COMPENSATORY TIME BALANCES
2. Documentation exists to support that the
reconciler’s compensatory time balance is
reviewed.
Many times the individual responsible for
maintaining comp balances also accrues comp
time. If so, someone else should review their
comp balance.
- Review documented by reviewers initials.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
E.
COMPENSATORY TIME BALANCES
Departments are HIGHLY
encouraged to maintain
compensatory time balances in
Banner.
This provides a centralized and
uniform process that provides greater
internal control.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
F.
CASH ON HAND
1. Documentation exists to support that cash on hand
is properly reconciled.
Petty cash or change funds must be reconciled
in a timely manner and accurately reflect
amounts indicated in Banner.
If you receive cash how do you make change
unless you have a change fund?
- University funds used for change must be
recorded in Banner.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
F.
CASH ON HAND
2. Cash appears to be adequately safeguarded.
Change funds and cash receipts should be kept
secure, preferably locked away in a fireproof
safe or file cabinet.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
G. CASH RECEIPTS/HANDLING
See the “Cash Handling”
policy 62.07
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
G. CASH RECEIPTS/HANDLING
1. Documentation exists to support that cash receipts
are reconciled to Banner.
Account reconciliation should include the
reconciliation of cash receipts. However, during
our control assessments we have noted most
departments reconcile expenditures but few
reconcile cash.
Documentation of cash received, especially
currency or checks received directly by the
department, should be reconciled from receipt
documentation (cash receipt form, cash log, etc.)
to BANNER.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
G. CASH RECEIPTS/HANDLING
2. A pre-numbered receipt, cash log, register tape, or
etc. is used to document cash received.
Must have some documentation that provides
accurate record of funds received in order to
reconcile.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
G. CASH RECEIPTS/HANDLING
3. Cash is physically safeguarded in a secured area
until deposit.
As was stated with change funds, cash receipts
should be kept secure, preferably locked away
in a fireproof safe or file cabinet.
Cash receipts should be deposited weekly or
when balance reaches $200, whichever comes
first. (OP 62.07)
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
G. CASH RECEIPTS/HANDLING
Note – Because of the “liquid” nature of cash
this area may receive more scrutiny than any
other during a control assessment.
It is highly recommended for individual
departments to get out of the cash (includes
currency and checks) collection business if at all
possible. If cash is being collected from
students other alternatives should be
considered such as direct charges to student’s
accounts receivable instead of receiving cash.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
I.
PROCUREMENT/FLEET CARD
1. Card transactions are adequately supported and
reconciled to bank statements.
Someone needs to be looking at the
transactions on the statement and comparing
them to actual vendor receipts to make sure
they appear appropriate.
Once again, need documentation, I.E., initials of
reconciler, tick marks, and supporting
documents.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
FLEET CARDS
We are now including a review of fleet card
transactions in our control assessments. This
includes any fuel cards Shell, Chevron, BP, Fuelman.
• Will need detailed statements that show what was
purchased, when purchased, quantity, and price.
• Should be supported by detailed receipts.
• Should be tied to a specific vehicle and or other
use. (For vehicles should be tied to vehicle log).
We must be able to prove/verify that purchase was
made for the use/benefit of university.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
I.
PROCUREMENT/FLEET CARD
2. Documentation exists to support review of card
journal entries and statements.
This is a review by someone other than the
reconciler.
Must be documented (Bank/credit card
statement also initialed by reviewer)
Reviewer must be knowledgeable about what
should or shouldn’t be purchased/charged on
the card and should question unusual
purchases.
This includes Fleet/Gas Card Statements
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
I.
PROCUREMENT/FLEET CARD
3. A sign in sheet, containing adequate information, is
maintained to record card users.
The need for and/or amount of information
necessary on a sign in sheet depends on the
number of individuals allowed to use a given
procurement card the frequency of transactions.
Should include who, what, when(date & time),
where, why, and how much.
- documentation must be adequate to determine who
made a particular purchase and why it is a
legitimate University purchase.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
I.
PROCUREMENT/FLEET CARD
4. All cards are kept in a secure place such as a
locked drawer or file cabinet.
Yes you can take it out to use, but keep it safe,
don’t carry it around when you don’t need it.
Don’t carry on weekends or on vacation or even
overnight if you don’t have to!!
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
J. LONG DISTANCE PHONE CHARGES
1. Documentation exists to support that statements
are reviewed by the responsible employee.
Employees
responsible for
LDS number
should review.
Each Employee
making long
distance calls
should have their
own unique LDS
number.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
J. LONG DISTANCE PHONE CHARGES
2. Documentation exists to support that statements
are reviewed by the department head/designee.
Department head
or designee
should review.
Need to
document by
signing or
initialing
statement.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
K. PROPERTY MANAGEMENT
1. Documentation exists to support annual
observation of inventory by someone other than or
in addition to the inventory representative.
Adequate internal controls require having more
than one person involved in custody/monitoring/
processing of assets.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
K. PROPERTY MANAGEMENT
1. Documentation exists to support annual
observation of inventory by someone other than or
in addition to the inventory representative.
At least once a year someone other than the
person normally responsible, should make sure
everything can be accounted for!
We recommend this be done during the physical
inventory required by receiving and property
control. Once again, must be documented (I.E.,
have inventory observer sign the property
report). (person should be involved in observation
process)
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
K. PROPERTY MANAGEMENT
2. Documentation exists to support the use of Hand
Receipts for the removal of property off campus.
When it is necessary to remove equipment from
assigned department in order to conduct official
University business, a hand receipt should be
kept on file by the department with a copy
forwarded to R&PC. This includes cell phones
and laptops. (MSU Property Manual)
The idea is to be able to either produce the
actual property item or documentation of where
it is at all times.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
K. PROPERTY MANAGEMENT
3. Documentation exists to support independent
observation when processing Hand Receipts.
Whenever a hand receipt is issued, the
inventory representative must physically
observe the equipment in question.
This includes when initial hand receipt is issued
or when it is updated every twelve months. (I.E.
independent verification of the property).
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
K. PROPERTY MANAGEMENT
4. Documentation exists to adequately support vehicle
fuel and maintenance expenditures.
How much does it cost to operate and maintain
your departments vehicle?
A fuel and maintenance log should be kept for
each vehicle that records all related
expenditures. This should include the type (fuel,
oil, repair) and the cost.
The log should include the odometer reading
(mileage) when the expenditure took place.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
K. FLEET MANAGEMENT
Vehicle log books are now available from Receiving
and Property Control
K. FLEET MANAGEMENT
Vehicle log books are now available from Receiving
and Property Control
K. FLEET MANAGEMENT
Vehicle log books are now available from Receiving
and Property Control
K. PROPERTY MANAGEMENT
5. Documentation exists to support adherence to Fleet
Management Guidelines.
How many of you new we even had Fleet
Management Guidelines?
Located @ http://www.procurement.msstate.edu
Documentation would include appropriate vehicle
records, employee vehicle use forms.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
L.
FACILITIES MANAGEMENT
1. Documentation exists to support the maintenance
of an accurate record of keys issued and periodic
analysis of missing keys to ensure adequate
security.
When was the last time your office, suite,
building and/or facility was keyed or rekeyed?
Can you account for all keys issued? Are
people, property, and information adequately
secured?
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
L.
FACILITIES MANAGEMENT
1. Documentation exists to support the maintenance
of an accurate record of keys issued and periodic
analysis of missing keys to ensure adequate
security.
Each department should have a current and
accurate list of all keys issued to the department
(and keys issued by the department to
employees) to ensure that all keys can be
accounted for and to help reduce the chance
that access to sensitive/restricted areas could
be gained by unauthorized persons.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
M. SPONSORED RESEARCH
1. Documentation exists to support the timely,
accurate completion of Confirmation of Effort
reports by someone with a suitable means of
verification that the work was performed.
This is a federal regulation (OMB A-21).
“Suitable means of verification” is straight out of
OMB A-21. This infers that the individual signing
the form has received definitive and verifiable
confirmation from the individual performing the work
or from an individual that has specific knowledge of
the work. Verification should be accompanied by
written documentation.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
M. SPONSORED RESEARCH
1. Documentation exists to support the timely,
accurate completion of Confirmation of Effort
reports by someone with a suitable means of
verification that the work was performed.
Therefore, the person signing the confirmation
should either be the individual represented, the
Principle Investigator, or someone with
documented verification as to the effort being
reported.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
M. SPONSORED RESEARCH
1. Documentation exists to support the timely,
accurate completion of Confirmation of Effort
reports by someone with a suitable means of
verification that the work was performed.
If you have non-exempt employees being
charged to sponsored projects then timesheets
must provide sufficient documentation as to how
much time was spent on a specific project.
Additional care should be taken if individual work
on multiple projects during a given time period.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
N. INFORMATION SECURITY
1. Sensitive information appears to be adequately
secured.
Sensitive Information would include but is not
limited to:
• Social Security Numbers
• Credit Card Numbers
• Patient medical records
• Financial records (donor, student, employee)
• Personnel/Human Resources records
• Student records (scores, transcripts, etc.)
• Passwords, access codes, encryption keys
• Research data
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
N. INFORMATION SECURITY
1. Sensitive information appears to be adequately
secured.
For any sensitive info:
• Access should be limited to only with those with
a need to know.
• Physical (paper) documents should be kept safe
and locked in a secure area.
• Departmental policy should require password
protection on computers and encryption software
on laptops.
• Local area networks should be properly
secured.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
N. INFORMATION SECURITY
2. Documentation exists to support compliance with
information security policies.
Policies in question would include:
Information Security Policy, 01.10
Social Security Number Usage, 01.23
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
N. INFORMATION SECURITY
2. Documentation exists to support compliance with
information security policies.
By July of 2006, the SSN will no longer be used
as the primary identifier of individuals associated
with MSU….. - (Social Security Number Usage, 01.23)
So quit using it for:
- Time Sheets
- EAFS (other than original employment)
- Travel
- Any other document where it is not required!
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
N. INFORMATION SECURITY
2. Documentation exists to support compliance with
information security policies.
At this point the control assessments focus mainly on
the “Social Security Number Usage” policy, 01.23,
which requires the following forms for the following
situations:
- Form SSN01 for storing SSNs in computer system.
- Form SSN02 for generating files and reports with SSNs.
- Form SSN03 for transmitting unencrypted SSNs off campus.
- Form SSN04 for employees with electronic access to SSNs.
- Form SSN05 for solicitation of SSNs.
- "Employee SSN Confidentiality Statement” for employees
with access to SSNs. (Will apply to almost all departments since if
you hire employees you will have to get SSNs for payroll/tax purposes).
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
N. INFORMATION SECURITY
3. Documentation exists to support compliance with
software licensing agreements.
Per OP 01.12, “Examples of inappropriate and
unacceptable use of computing and networking
resources….violation of software license agreements” .
Departments must have proof of ownership/license
agreements for software used on university computers.
Documentation could include actual license agreement or
copy of vendor invoice.
University (ITS) does not maintain license for departments
even for some software “pushed” or accessed from the
super server.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
N. INFORMATION SECURITY
4. Documentation exists to support completion of
information security training by appropriate
persons.
Per MSU’s Information Security Program, all employees
who have access to sensitive information must complete the
online information security certification.
Internal Audit can and will run a report that tells us who has
and has not completed said certification.
The certification can be found on the onCampus website
under the “Office” tab.
Departments can monitor their employee’s completion of
the certification by running banner report PWRISTL.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
O. GENERAL ADMINISTRATION
1. Current desk manual exists for critical departmental
controls and procedures.
We recommend that a desk manual be developed
detailing critical procedures in the event of hiring a
new employee or temporary worker substituting for
an absent employee.
We recommend that the manual detail tasks to be
completed daily and tasks completed
periodically/monthly with recommended timelines.
The manual should be reviewed periodically with
any changes noted.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
O. GENERAL ADMINISTRATION
2. Required postings of information maintained within
department..
Whistleblower
poster.
During assessments we
will request to see where
these postings are
displayed.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
Record Retention
There is no official MSU or IHL retention Policy.
We recommend for most documents such as
department copies of purchases, invoices, ledgers,
procard statements and support, and etc:
Current Year plus three prior.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
Record Retention
Specific HR/Payroll Guidance (HRM 60-109):
Departmental Employee File
If a department maintains a departmental employee file, upon
the employee’s separation, the file must be forwarded to HRM.
Leave Records
Copies of Application for Leave and associated documents will
be retained for four calendar years. Leave records older than
four years will be destroyed.
Time Records
Departments who have non-exempt employees should retain
the employee time sheets for a minimum of four years.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security
Record Retention
Exceptions:
Any documents that support sponsored/externally
funded expenditures must be retained according to
the grant/contract/authoritative document. May be
longer than 3 or 4 years.
Need to talk to Registrar regarding student files and
Provost regarding faculty files.
Office of Internal Audit
Integrity ∙ Accountability ∙ Security