FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
AUDIT INFORMATION PROJECT
Presented by
FINANCIAL AFFAIRS
April 2008
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
AUDIT INFORMATION PROJECT
Table of Contents
Introduction
Audit Survival Guide
Internal Controls
Segregation of Duties
Job Aids for the University Community Departmental Cash Receipts & Deposits Disbursements / Payroll / Misc Human Resources Petty Cash Purchasing Operations Purchasing pCard Travel
Job Aids for Units Handling Cash, Credit Cards and PCI Compliance
Additional Resources
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
INTRODUCTION
The Financial Affairs Audit Information Project is designed to assist departments and personnel at Florida Atlantic University with daily operations and how the operations may relate to audits and audit findings.
The first presentation is the Audit Survival Guide which explains audits and how to prepare for one. The next two topics are ones that most often result in audit findings – Internal
Controls and Segregation of Duties. The last section is a tool that can be used to help determine if current operations may result in an audit finding.
If you have any questions, contact Purchasing, the Controller’s Office, the Office of the
Inspector General, or Dianne Parkerson, [email protected].
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
AUDIT SURVIVAL GUIDE View a PowerPoint presentation at http://www.fau.edu/fiscal/files/audit_web.pps
Introduction Compliance Policies & Procedures Money Handling Safeguarding Assets Separation Of Duties Documentation Contracts & Grants Authorized Signatures Telephone Charges Prior Audit Criticisms Additional Resources Summary
INTRODUCTION
Audits at Florida Atlantic University are performed to ensure compliance with generally accepted accounting principles and with FAU and Florida’s Board of Governors policies and State Statutes. These audits may be conducted by federal, state, internal or external auditors. Questions relating to types of audits and the audit process should be directed to the Office of Inspector General.
This publication is to be used as a general guideline for how your area may best prepare itself for an audit. The topics are those that have been frequently covered in past audits. The subject of prior recommendations may have been directed to a particular department, but are applicable to most departments. Please review this document with your management team, particularly those involved with operational procedures or financial operations.
COMPLIANCE WITH STATUTES RULES AND POLICIES
Florida Atlantic University must comply with a variety of Federal and state regulations and statutes, as well as internal policies and procedures. A department, whether academic or administrative, should be familiar with compliance issues pertaining to its operations. Many departmental websites make reference or have links to regulatory and compliance resources applicable to their operations. All employees should be familiar with their regulatory environment and if a formal institutional compliance program does not exist, a periodic internal evaluation of the level of compliance should be performed.
POLICIES & PROCEDURES
One of the first requests from auditors will be to review the department's written policies and procedures in order to determine compliance. This documentation should be at two levels, one being the department's general operating policies and the other, more detailed procedures, often referred to as desktop procedures.
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
It is especially important to document procedures used in handling fiscal matters. Flowcharts are useful, and current, detailed job descriptions should be a part of the entire package. If there are no procedures or if they are vague and/or out of date, it may result in an audit criticism.
It is suggested that policies and procedures be written if none exist. If they do exist, they should be periodically reviewed and updated as needed. Past memos outlining policies can often be used as a basis for developing a manual. The manual should be available to all employees, and ideally they should sign an acknowledgment form that they have read and understand the procedures.
MONEY HANDLING PROCEDURES
The term "money" refers not only to actual cash, but also to checks and credit cards, and may also be referred to as "funds." If your department is involved in collecting funds, make sure written procedures are up-to-date and expect this function to be scrutinized by the auditors.
Prior to involvement in accepting funds, the department should contact the Controller's Office for approval and the correct procedures to be used. If billing by invoice is a part of a department's routine, consult with the Controller's Office to determine if this should be handled through the Accounts Receivable system.
Audit concerns will include the proper use of pre-numbered departmental cash receipts, immediate and restrictive endorsement of checks, use of mail logs, security of funds, use of transfer forms, timely deposits and written procedures.
Any unusual transactions or exceptions to the norm must be documented and should be approved in writing if possible. If there are any questions about these items, contact either the Controller's Office for detail procedures or the Inspector General's Office for general information.
Another area of money handling is petty cash accounts. The operation of a petty cash fund needs to have the Controller's Office approval. The cash must be secured and safeguarded from misuse or theft. It must not be used to cash personal checks or IOUs. Be certain the petty cash custodians are aware of the proper procedures to be used for petty cash. In addition, expect periodic visits by the internal audit staff to verify accuracy of the fund.
SAFEGUARDING ASSETS & PHYSICAL INVENTORY
Assets are any items of value and include equipment, cash, financial records, and the physical structures. Confidential information, such as student records must also be safeguarded from misuse, unauthorized changes or theft. Evaluate the physical security of the offices and limit distribution of keys to authorized personnel. If certain areas should be restricted to employees only, at a minimum this restriction should be posted. Review the security of computer equipment, software programs, computer files, and the proper use of password procedures. Also review the security of other equipment, materials and supplies that may be of value to someone.
Assets that cost $1,000 or more (plus certain other items) are tagged and accounted for as fixed assets. State law requires a physical inventory be conducted annually and the department's cooperation is a necessary part of this process. Property Management conducts the annual fixed asset inventory, including verification of off-campus items. Departments can facilitate accountability for fixed assets by completing forms as property is moved or taken off campus, when grants are closed, or when
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______the "accountable officer" changes. Accounting for fixed assets is within the scope of each state operational audit and lack of proper controls can result in adverse audit findings and publicity. Contact Property Management for additional information and to learn of the department's responsibility in this area.
SEPARATION OF DUTIES (See Separation of Duties section for more information)
|| AUTHORIZATION || CUSTODY || RECORD-KEEPING ||
This is a basic internal control and deterrent to fraud, yet it is frequently overlooked and can be difficult to achieve in smaller operations. Ideally, authorization of transactions, custody of assets, and record- keeping should be the responsibility of different individuals. One overall consideration when designing the best control system is that, generally, the more negotiable the asset, the greater the need for separation of duties, as well as the need for increased physical security.
Duties are considered incompatible if someone can carry out and conceal an error or irregularity in the course of day-to-day activities. If adequate separation of duties is not possible due to lack of sufficient staff, then there should be increased oversight by management.
DOCUMENTATION & REVIEWS
Auditors will always want to see documentation that will support decisions, exceptions, transactions, end results, etc. Documentation is important in fiscal matters or for any action that is a deviation from the norm or the established policy.
Auditors are also concerned about documented supervisory reviews or approvals. Anytime an employee's work is reviewed, such review or approval should be notated by the reviewer's initials and the date.
Logs are a form of documentation, but to be effective they need to be used properly and consistently and should evidence supervisory review. Logs for checks received by mail, combination safe control listings, etc. are examples of logs which should have documented reviews.
Documented, periodic sampling by management is a form of review to ascertain that policies are being followed. This provides a good internal practice, not just something good to show the auditors.
CONTRACTS & GRANTS
The Division of Research should be contacted regarding questions on originating and accounting for contracts and grants. In accepting the grant, Florida Atlantic University is acting as a fiduciary. Grant funds must be expended only for the purpose of fulfilling the objective of the grant. However, since the University is also in a fiduciary role in expending State funds, it is just as important that all appropriate grant related costs be charged to the grant.
It should be emphasized to the principal investigators that not only is fulfilling the grant's purpose their responsibility, but proper use of funds and the review of these expenditures is also their responsibility. Contracts should be carefully read to determine the technical and financial requirements and conditions. The granting agency will often audit the records of their grants and there is an annual audit of Federal Financial Assistance Programs by the State of Florida Auditor General’s Office.
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
AUTHORIZED SIGNATURES
The University utilizes a signature system that is maintained by the Controller's Office. Updates by the departments, including changes resulting from terminations and employee transfers, are necessary to maintain integrity of the system.
TELEPHONE CHARGES
State telephones should be used only to conduct official state business. However, recognizing that there may be occasions when most people eventually find it necessary to make a personal toll call, the University has established a policy to cover these situations.
Personal toll calls and faxes should be logged by the individual making them, which can be as simple as a note on their calendar. The monthly phone bills should be distributed to employees for their review of toll calls made from their extension. Any personal calls must be reimbursed on a timely basis to the University. The exact procedure to be followed has been established in each department. This is a privilege that must not be abused or misused.
In addition, the most economical means of calling (800 numbers, etc.) should be used whenever possible. Contact Telecommunications for additional information.
PRIOR AUDIT CRITICISMS
Refer to released reports on the Florida Auditor General’s website, www.myflorida.com/audgen/, for various types of audit criticisms, paying close attention to the operational audits. Also, you may contact the Office of Inspector General for copies of internal audit reports for additional information.
ADDITIONAL RESOURCES
• How to Prepare for an Audit from FAU at http://www.fau.edu/fiscal/files/audit_web.pps • How to Survive an Audit, PowerPoint presentation from UC Davis at http://internalaudit.ucdavis.edu/documents/howtosurviveanaudit.ppt • How to Survive an Audit (Without Really Trying) from University of Utah at http://web.utah.edu/internal_audit/Internal%20Audit%20Presentation%207March2006.ppt • Lessons Learned from Federal Audits at Other Schools from Brown University at http://research.brown.edu/pdf/OSP_9_22_06_Brown_Bag_Presentation.pdf • Preparing For an Audit from Syracuse University at http://amas.syr.edu/amas1/display.cfm?content_ID=%22%2B%2C0%20%0A • Grants - Preparing for an Audit from Coconino Community College at http://www.coconino.edu/grants/audit.html • Audit – Beginning to End PowerPoint presentation from Texas A&M University at http://www.srainternational.org/newweb/sectionsinfo/so/m6.ppt
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
SUMMARY
All the above suggestions are very important, however internal control procedures and the suggestions made for compliance, should be subjected to a cost/benefit/risk analysis. The risks involved of non- compliance should be analyzed and benefits gained must outweigh the costs involved; management must determine if they are willing to accept the risks of non-compliance. If you have any questions in this area contact the Inspector General's Office.
Management is responsible for the internal control procedures and for the operating policies of their area and management sets the tone for all employees. Taken seriously, management’s awareness of audit concerns will help to minimize audit criticisms and will also result in a better operating environment.
______
The Audit Survival Guide was initially issued as a booklet in 1994 by Dianne Parkerson. It has been revised by Morley Barnett, Inspector General, and formatted into a Web document at www.fau.edu/admin/oig/survival.php. The following PowerPoint Presentation is online at www.fau.edu/fiscal/files/audit_web.pps
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
D
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
GUIDE TO INTERNAL CONTROLS
Elements of an Internal Control System Management and the Control Environment Methods of Designing an Internal Control System Building a Control Environment Completeness of Records and the Audit Trail Examination of Internal Controls Separation of Duties Miscellaneous Internal Controls Additional Resources Summary
ELEMENTS OF AN INTERNAL CONTROL SYSTEM
Internal controls are normally thought of as something of concern only to the Controller's Office and auditors. However, any area that authorizes use of resources, has control of assets, and provides information for the accounting records should be concerned with internal controls, also known as management controls. All areas of an organization are subject to audit and need an internal control system in place to help minimize audit criticisms. Management must understand the importance of controls, the risks in circumventing the controls and the ramification of abusing controls.
Internal controls are systems, policies, procedures and practices that are used to detect or prevent errors of commission and omission. Internal controls should safeguard an entity's assets, which include accurate financial records. Internal controls also promote operational efficiency and encourage adherence to prescribed managerial policies and procedures as well as laws, rules and regulations. Effective internal control is a cornerstone of successful management. The following information is meant to assist in expanding the reader's knowledge of what an internal control system should encompass; it should aid in preventing adverse audit findings and strengthen management oversight in needed areas.
MANAGEMENT AND THE CONTROL ENVIRONMENT
Management establishes and maintains the internal control system for the University. Management sets the tone, parameters and structures, but the responsibility of compliance belongs to all employees and their attitudes will help determine the success or failure of established controls. Management must demonstrate the importance of controls by ensuring their consistent application and show that compliance and controls are an integral part of the business operations.
Any control can be overridden by management. The risks associated with overrides must be assessed. Employees should be required to document any unusual request by management; preprinted forms may be used for such documentation. The use of such forms can provide a means for review of exceptions to controls. Top management needs to be aware that overrides may be more prevalent where there are decentralized branch operations, or areas of small operations making separation of duties difficult. Incentive programs can create an atmosphere for less than accurate records and/or inappropriate management overrides.
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
METHODS OF DESIGNING AN INTERNAL CONTROL SYSTEM
Although an adequate internal control system should prevent errors, an effective system will help detect errors when they occur within a reasonable time period. There are several tools available to assist in the design of an internal control system. These methods highlight strengths and weaknesses which may exist in the internal control system.
• A checklist review process is one form of evaluating a system. Issues of separation of duties, completeness of data, checks and balances, effect on operating efficiency, and possible overrides should be addressed. Checklists can be directed to the general environment as well as cycles within the operation. The checklist should state the objective to be achieved, possible risks if it’s not achieved, and question if the controls achieve the objective. The questions should relate to whether or not the controls are actually in use. If the questions are answerable by "yes/no", then they need to be worded in such a way that "yes" is not automatically the "correct" answer. An "incorrect" answer indicates a weakness and requires additional questions or investigation.
• Flowcharting is another means of designing and evaluating an internal control system. Flowcharts can show the flow of document processing and/or the controls of a system. Decision trees are similarly helpful in designing proper controls, but these tools are useful only if they are updated as changes occur.
• "Walk-throughs" and "transaction tracing" can be a useful tool. A transaction is walked through the system to determine if the procedure on paper can be accurately translated to actuality.
BUILDING A SOUND CONTROL ENVIRONMENT
A successful internal control environment needs the cooperation of the employees, with executives and senior management taking the lead by setting personal examples of high ethical conduct. Because of the possibility of human error, a system may need redundant and/or compensating controls. The extent of additional controls should be determined through cost/benefit analysis. The design of a system must be well thought out, weighing compliance against cost/benefit. The risk of non-compliance and its results must also be weighed. Employees must understand they will not be penalized for decreased operating efficiency which may stem from complying with prescribed controls. Employee annual evaluations should include a section on adherence to established controls. In order to maximize the effectiveness of the internal control system, management needs to pay attention to employee feedback about what does and does not work. One set of controls may not govern every transaction. For example, high dollar transactions are inherently more risky and should be subject to more stringent controls.
COMPLETENESS OF RECORDS AND THE AUDIT TRAIL
An audit trail is a chain of evidence; it is the path of an original source document to its final record in the accounting records. To establish an audit trail, all transactions, routine and non-routine need to be documented - especially - the non-routine, exception transaction.
Document control is vital in assuring all transactions are recorded. The use of pre-numbered forms where appropriate, can assist as a control. All forms, including voided forms, must be accounted for. The manager needs to understand the flow of documents, which should be outlined in a manual. Written job descriptions should designate the roles of employees in document processing. As a
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______processing phase is completed, it should be documented (initialed, dated, etc.). If a computer is completing some of the processing steps, computer access should be restricted to authorized users and applications; the program should contain controls and checks for completeness, limits, and reasonableness.
EXAMINATION OF INTERNAL CONTROLS
Auditors are using the computer more frequently in their audit techniques. Management should do the same. PC programs and specialized reports from IRM can be utilized to enhance the internal controls. This should be subject to cost/benefit analysis.
A standard audit technique is sampling, which means reviewing and/or testing a "sample of the whole." For example, if management has decided a particular transaction type requires two signatures, someone should periodically review several of the transactions (a random sample) to determine if two signatures are being obtained. If a particular operation is to be reviewed and initialed by someone, then a sample should be examined for such initials. Another example may be that every student file should contain a certain document. A sample of files should be reviewed for that purpose. The frequency of sampling will be determined by the volume and importance of the tested item. It will also be determined by the results of the sample. A large number of deviations would dictate more frequent and perhaps more extensive testing. The reviews and results should be documented; this will demonstrate to senior management and auditors that there is a commitment to efficient and effective operations.
Risk exposure worksheets can help with the design and evaluation of controls. They are used to determine the expected error or loss from one occurrence and the frequency with which this one occurrence is likely to be observed. The findings are subject to cost/benefit analysis.
A system of internal controls should recognize four major areas of risks: 1. valid documents may be lost and not recorded, or substitute documents may be entered into the records 2. transactions may be inaccurately recorded 3. assets may not be safeguarded 4. lack of compliance with established policies and procedures, laws, rules and regulations.
SEPARATION OF DUTIES (See Separation of Duties section for more information)
Separation of duties is a key internal control concept. No single individual should have control over an entire transaction. The duties of authorization, custody of assets and record-keeping should be the responsibility of three different individuals. Duties are considered to be incompatible if one individual can perpetrate and conceal errors and irregularities in the course of performing day-to-day activities without detection. If adequate separation of duties is not possible due to lack of sufficient staff, vacations, etc., then there should be written evidence of increased supervisory oversight.
A formal organization of separation of duties must not be over ridden by the informal day-to-day structure. Unlimited access to accounting records, computer terminals, and assets, along with pre- signed forms, after-the-fact authorization, new employees, and a change in procedures will weaken the formal structure.
There is a risk in having an individual with a thorough knowledge and understanding of the entire system. Therefore, caution should be exercised in selecting individuals for cross training when it
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______involves at least two of the above areas. Employees should be made aware of their control-related duties and the reasoning behind them.
Separation of duties is more difficult to achieve in a centralized, computerized environment. Compensating controls are needed, such as passwords, inquiry-only access, logs, edit checks, dual control of authorizations, exception reports, and reviews of input/output. Controls associated with passwords include having different levels of passwords, periodic expiration, deletions as employees terminate, and periodic re-logging in throughout the day. Separation of duties within an information technology department is a critical component of safeguarding assets and vital records.
Separation of duties can only limit the possibility of problems arising due to incompatible duties. Collusion can occur, invalidating the control procedures in place. The manager needs to be aware of co-worker relationships, as well as relationships outside the office, and be alert to the possibilities of collusion.
MISCELLANEOUS INTERNAL CONTROLS Procedures are needed to assure that transactions are authorized by management, acting within their scope of authority.
• Proper documentation of processing is needed for the necessary audit trail. Documented reviews of transactions gives validity to the audit trail. • The following holds true at any level of employment, from a clerk to top management. Formal job descriptions are needed, which establish minimum work experience and educational and professional requirements. References should be checked and if warranted, employees should be bonded. Once hired, there needs to be a training program, periodic evaluations, and the employee should have access to policy and procedure manuals. • Vacations should be required of employees and the duties assumed by another employee. An employee who is purposely violating procedures for personal gain may not want to take time off and have another person get involved in his/her routine. Often problems with the system will be uncovered when someone else does become involved. • Use of common sense in safeguarding assets is an important control feature. Locks, limited access, computer passwords and requiring ID's are some of the means to be considered. • The usefulness of record-keeping is limited unless reconciliation procedures are followed. This involves periodic comparison of written documentation and expectation to actuality. • Retention policies are needed for both physical documents and information stored in the computer. Backup procedures for computerized information are critical. This applies to all levels including centralized systems and personal computers. • Clear, precise, written instructions should be provided for each function. These specific procedures should be in addition to a more general set of procedures needed to describe an entire operation. Manuals, job descriptions, detailed and general guidelines need to be updated as changes occur. • Computer output should be reviewed against source documents. • Documents containing non-computerized math calculations should be verified. When necessary, footing and cross-footing should be performed. • There should be a semi-annual or annual review of the controls in place. Are they being used and used consistently? Are they meeting their objective? Are they being circumvented? Do they apply to current conditions? Do they provide a timely check? Are they understandable, useful and necessary? Does the operation have both preventive and detection controls applicable to both manual and computerized systems? Does the benefit out weigh the cost?
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
ADDITIONAL RESOURCES • Elements of Effective Internal Controls for University Operations, from OIG, FAU at http://www.fau.edu/admin/oig/internal-controls.php • Best Practices – go to http://www.fau.edu/fiscal/best-practices/keywords.pdf which lists Best Practices according to keywords. Scroll down to Internal Control. • Internal Control Concepts – A Guide for Deans, Directors, and Department Chairs. PowerPoint presentation from Brigham Young University at https://audit.byu.edu/AuditWebsite/views/Website/Documents/SelfAuditTools/internal_controls_ppt_file.ppt • Internal Controls from University of South Florida at http://usfweb2.usf.edu/uac/documents/InternalControls_%20FINAL%20032107.pdf • Internal Control Guide & Other Related Materials from Boise State University at http://www.boisestate.edu/internalaudit/ITGandOther.shtml • Elements of Effective Internal Controls for University Operations, from OIG, FAU at http://www.fau.edu/admin/oig/internal-controls.php • Management and Evaluation Tool from the General Account Office (GOA) at http://www.gao.gov/new.items/d011008g.pdf • Internal Control Guide from Georgia Institute of Technology at http://www.audit.gatech.edu/ICG_final.pdf • Internal Control from SUNY College of Environmental Science and Forestry at http://www.esf.edu/intcontrol/ • Internal Control Practices: Overview from UC San Diego at http://blink.ucsd.edu/Blink/External/Topics/Policy/0,1162,17360,00.html?coming_from=Content • Best Practices Internal Controls from Wayne State University at http://internalaudit.wayne.edu/Internal/AuditBestPractices.htm • Internal Control Self-Assessment Checklist from University of Utah at http://web.utah.edu/internal_audit/Internal%20Control%20Self%20Assessment%20Mar-06.doc • Cash Handling and Control from University of Victoria at http://www.finance.uvic.ca/banking/controls.shtml • Best Practices – go to http://www.fau.edu/fiscal/best-practices/keywords.pdf which lists Best Practices according to keywords. Scroll down to Internal Control.
SUMMARY A well designed internal control system, which is utilized, cannot prevent errors, but can reduce the probability of their occurrence and/or lack of detection. Many past audit findings are due to lack of adequate internal controls - or controls that are not followed. If you would like additional information regarding internal controls, contact the Office of Inspector General. ______
The Guide to Internal Controls was initially issued as a booklet in 1995 by Dianne Parkerson. It has been revised by Morley Barnett, Inspector General and formatted into a Web at http://www.fau.edu/admin/oig/controls.php, For more information on internal controls refer to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) http://www.coso.org/, the Information Systems and Audit and Control Association (ISACA), http://www.isaca.org/, and the Government Accountability Office http://www.gao.gov/new.items/d011008g.pdf.
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
SEGREGATION OF DUTIES
Introduction Examples of Incompatible Duties Factors Adversely Affecting Segregation of Duties Additional Resources Summary
INTRODUCTION
Segregation of duties is a basic, key internal control and often one of the most difficult to achieve, especially in a small operation. The basic concept for segregating duties is that no single individual should have control over all phases of a transaction. Ideally, the incompatible functional responsibilities of authorizing (initiating) transactions, custody of assets and record-keeping should be the responsibility of separate individuals.
Duties are considered to be incompatible if a single person can carry out and conceal errors and/or irregularities in the course of performing day-to-day activities. Assignments of duties should provide a cross-check of responsibilities to avoid incompatibilities.
Lack of proper segregation of duties may result in an audit criticism if it creates a material weakness in the internal control structure. A material weakness is one in which significant errors or irregularities may occur and not be detected timely by employees in the normal course of performing their assigned functions.
EXAMPLES OF INCOMPATIBLE DUTIES
1. Authorizing a transaction and posting it to general ledger.
2. Receiving revenue funds (checks or cash) and approving write-off of receivables.
3. Reconciling bank statements and booking entries to general ledger.
4. Authorizing payments to vendors and mailing the payments.
5. Setting up new employees and processing payroll.
6. Unlimited access to assets, accounting records and computer terminals and programs. An example would be using checks as the source documents to post to accounting records rather than using a check log or receipts.
FACTORS ADVERSELY AFFECTING SEGREGATION OF DUTIES
1. Existing controls may not be effectively used – for example, when one person prepares a mail log and another person processes the payments, a deposit ticket can be prepared, but the
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
effectiveness of segregation of duties is minimized if the log total and deposit total are never compared.
2. Supervisory review of critical documents or activities may not exist or may be inconsistently applied.
3. Employees may have the power to negate established controls; often an employee in a supervisory position may have this power in an otherwise sound system. Documented oversight by a higher level of management will help lessen the possibility of abuse.
4. Information and transaction security may be compromised if computer access passwords are shared.
Employees may assume incompatible duties while filling in for vacationing or ill employees.
ADDITIONAL RESOURCES • Separation of duties when it comes to Purchasing from UC San Francisco at http://www.ucsf.edu/ams/best/purchase.html • Segregation of Duties from University of Utah at http://web.utah.edu/Internal_Audit/segregation_of_duties.htm • Segregation of Duties Matrices from UC San Diego at http://amas.ucsd.edu/Services/Segragation.htm • Segregation of Duties Policy from the University of Arizona at http://www.fso.arizona.edu/fso/deptman/19/1901duties.html • Tip Sheet - Separation of Duties from UC Santa Cruz at http://finaff.ucsc.edu/cc/tips/sepduty.htm • Demonstrating Separation of Duty from University of Washington at http://www.washington.edu/admin/finserv/procard/separation.htm
SUMMARY
The old adage stating that “an ounce of prevention is worth a pound of cure” is a truism that applies equally to the business environment as it does to everyday life. Segregation of (incompatible) duties is a basic management tool to ensure that employees will be deterred from committing fraud or misappropriating assets. Caution should be taken to analyze each situation to ensure that segregation of duties is cost beneficial and that employees realize that a sound control environment is for their individual protection as well as for the business organization.
If you have any concerns about this subject or need assistance in this area, please contact the Inspector General's Office at (561) 297-3682. Additional information on segregation of duties is available on the Website http://en.wikipedia.org/wiki/Segregation_of_duties.
Segregation of Duties was initially written 1996 by Dianne Parkerson. It has been revised by Morley Barnett, Inspector General, and formatted into a Web document at www.fau.edu/admin/oig/segreg.php.
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
Departmental Cash Receipts & Deposits, (All areas accepting payments) Yes No Some- Req Times Info Are department personnel (non-Controller’s Office Personnel) who handle cash and prepare deposits familiar with the University’s policies and procedures regarding cash funds? When receiving cash for reimbursements or payments, are receipts issued or other documentation maintained that support the deposit in detail? Is the individual responsible for collecting cash different from the one responsible for preparing the deposit? If someone needs a personal check cashed, would you refer them to an ATM, Bank Atlantic campus branch or an independent financial institution rather than use departmental funds to cash the check? Are funds collected and deposited within 5 working days? Are all incoming checks immediately and restrictively endorsed with a stamp upon receipt from the issuer? Are daily collections held in a secure manner until deposited in the Cashier's Office? Are any differences between cash collected and receipts issued coded to the over/short account? If gifts of cash or checks are received, are these forwarded to the FAU Foundation for deposit? Is someone independently reviewing and approving voids and refunds including credit card refunds? Are deposit records are reconciled to Banner on a monthly basis to ensure they have been posted to the appropriate department codes for the appropriate amount. Has the department consulted with the Controller’s Office concerning whether sales taxes are required to be charged to customers? Are all used, unused and voided prenumbered receipts accounted for? Is a mail log or receipt log utilized to record incoming funds? Is a transfer document utilized as funds are passed from one individual or area to another?
For additional information of the above, review the audit finding at http://www.myflorida.com/audgen/pages/pdf_files/2006-044.pdf, Recommendation #6. In addition, contact the Office of the Inspector General for FAU Audit 06/07-1 and FAU Audit 06/07-2
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
Some- Req Disbursements / Payroll / Misc (All areas) Yes No Times Info
Do invoices for payment bear evidence of approval, with the correct organization number, account coding and correct number of signatures, in accordance with University policy?
Are departments sending signed invoices to Accounts Payable to allowing them to be paid in compliance with vendor terms.
Are Banner reports reviewed on a monthly basis for accuracy and coding of payments?
After forwarding your invoices to Accounts Payable, do you verify that expenses are accurately charged to your organization number?
Does someone monitor your Budget versus Actual to ensure overages do not occur?
Do you currently review/reconcile monthly charges for telephone equipment (cell charges)? (Process may change in the future.)
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
Some- Req Yes No Human Resources - www.fau.edu/hr/ Times Info Do you assure all new employees have completed all sign-in paperwork and new hire orientation documents prior to commencing work in your department? Are applicant references checked by the hiring authority prior to extending offer? Is the recruitment process as outlined at www.fau.edu/hr/Employment/recruitment.php followed? Is sensitive personal employee information forwarded to Human Resources for inclusion in the official personnel file? Are departmental time sheets and leave forms retained in accordance with the university’s official records retention schedule? Do current job descriptions exist for all positions? Does your departmental personnel files contain only appropriate and relevant information? Do you have an open door policy for employee complaints? Is the department aware of the procedures to be followed when an on the job injury occurs? Is the workplace environment maintained with safety in mind? Is the advice of Human Resources is sought with respect to employee situations which may potentially give rise to disagreements, grievances or lawsuits? Does the department follow separation procedures as outlined at www.fau.edu/hr/ProcNRec/Separation.php? At the time of separation, does your department properly document the process of the return of University property by certifying the checklist prior to submitting a termination personnel action form to the University’s Human Resources Department as outlined in the Separation Procedure?
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
Some- Req Yes No Human Resources cont. Times Info Are user sign-on accounts always submitted for timely removal for employees who terminate employment in accordance with Separation procedures? Are records maintained for Administrative, Managerial and Professional employees to monitor and verify vacation, sick, and personal days taken and available? Are performance evaluations documented in writing and discussed with the employee? Are performance evaluations completed on time? Do you know the difference between exempt and non-exempt employees and the classification requirements in accordance with Fair Labor Standards Act? Are individual supervisors notified when employee performance appraisals are due? Are employees required to submit medical documentation for all medical leaves of over one week? Are employees notified of their FMLA rights in a timely manner?
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
Some- Req Purchasing, (All areas) http://www.fau.edu/purchasing/ Yes No Times Info
Have you secured 2 or more competitive quotes for orders between $12,500 and $49,999?
When placing orders for food and beverage, is an appropriate index being charged?
Are all purchases over $1000 made on properly approved Purchase Orders?
If a purchase order is to be utilized, does your department ever make purchases before the Purchasing Department has been notified and a PO number has been issued?
Are receiving reports compared in detail with purchase orders and vouchers (or invoices)?
Are contracts and leases approved by all parties involved prior to the effective date of the contract?
Have you provided a “benefit to state” statement where applicable, such as conference registrations, organizational memberships, etc.? Have you provided the conference location, list of attendees, and program dates for Registrations?
Does the membership organization provide an “Open Records Letter” certification or is there one currently on file?
Have you received perquisite approval from Human Resources for all uniforms, shoes and other required items of a personal nature?
Did you provide a “consulting services worksheet” for your Honorarium?
Has a cost savings memorandum been provided for requisitions used to pay hotel rooms?
Did you ensure that all goods and services have been received PRIOR to approving an invoice for payment?
Has the contract or agreement been signed only by an individual who is authorized to sign as delegated by the University President?
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
Some- Req Purchasing cont. Yes No Times Info
Have you ensured that payments made via purchase orders are not being made directly to university faculty, staff, students?
Did you split the value of a single order in a deliberate attempt to keep the total value below a bid or quote threshold?
Are you, as an employee of the university, benefiting directly from the selection of a specific vendor? Is a friend or family member benefiting from this transaction?
Do you have Purchasing’s approval for items which are being taken in on loan, demonstration or trade?
Have you used a proper concession or foundation fund for items that are “promotional” in nature? Have you selected a licensed FAU vendor?
Is your annual maintenance PO payable in arrears? If not, did you provide the proper cost savings documentation from the vendor?
Has your Information Technology purchase of $12,499 or more received IRM approval? (Standard PC’s and peripherals excluded).
Did you receive approval to purchase or lease a copier from the Director of Business Services?
Are you attempting to purchase a capital item on a blanket purchase order?
Have you verified that you are still in possession of any equipment you are purchasing a maintenance agreement for?
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
Some- Req p-Card, (Any area with Purchasing Cards) http://www.fau.edu/purchasing/purchasingcard/ Yes No Times Info Do cardholders insure that items purchased are appropriate against their particular funding source and in accordance with university and state policy? Do Cardholders forward a legible copy of the receipt (after signing and dating) to the approver within 3 working days after receipt of goods or services? (6 working days for travel related charges) Do Cardholders routinely request that state sales and use tax not be charged at the time of purchase? Do Cardholders insure that their card is not loaned out to other employees? Do cardholders know what their approved limits are? Do cardholders know who to contact if their card is lost, stolen or otherwise compromised? Do Approvers routinely look for un-reviewed and un-approved transactions in Banner? Do cardholders know that having the merchant split the payment for a single capital item is prohibited? Are all original receipts and other supporting documentation retained properly? Are Approvers preparing a 3-way reconciliation monthly? Are purchases approved by someone other than the cardholder? Are Approvers tracking disputed items to ensure that a proper credit is received? Does the department manager approve spending limits for new cardholders and approve any permanent increases to those limits? Does the Approver know to contact the p-Card Administrator when unusual transactions appear in Banner? Are the cards either normally kept on site (locked drawer/safe) or carried by the authorized user?
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
Some- Req p-Card cont Yes No Times Info If purchases are made on this card and the charges transferred to other funds (especially federal grants or contracts); do you maintain proper documentation for the purchase and transfer? Does the cardholder know how to dispute an unauthorized charge? Do approvers properly question transactions where the business purpose is not readily apparent, or refer the transaction to the Purchasing Card Administrators?
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
Petty Cash (All areas with a petty cash fund) Some- Req Yes No http://www.fau.edu/controller/cash_management/docs/Disbursing_Petty_Cash_Funds.doc Times Info Does your department have a petty cash fund or keep cash in the area? If yes, was the fund approved by the Controller’s Office? Is there a specified custodian who is held accountable? Are contents properly secured (locked up) when not in use? Does someone other than the custodian review activity and count the funds and reconcile cash on hand plus paid receipts equal the amount of the Fund? Are employees prohibited from using money from the petty cash fund for employee loans or to cash a check? Are all payouts of petty cash accompanied by a signed receipt?
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
Some- Req Yes No TRAVEL, (All areas) www.fau.edu/controller/travel/ Times Info Is a travel plan being submitted and properly authorized in WOLF prior to leaving for an overnight trip or for any form of commercial transportation? Are original, itemized receipts submitted for each expense exceeding $25.00 claimed on the expense reimbursement request? If a meal is provided as part of a registered event, was a deduction to the per diem amount made for the corresponding meal? When traveling by automobile, are University vehicles used whenever possible before seeking other alternatives? Are personal expenses incurred on hotel bills or other purchase receipts such as in-room movies, valet and room service charges, etc., properly identified and deducted from the reimbursement claim? Are expense reports being submitted for approval within 15 calendar days of returning from a trip? When renting a vehicle, is a compact-size vehicle selected under normal traveling conditions? If attending a registered event where meals are included in the cost of attendance, is a copy of the conference registration form included in the supporting documentation? Is the University On-Site Travel Agency being used to arrange all airfare, lodging, car rental and transportation by common carrier? Are all expense reimbursements approved by someone other than the individual incurring the expense or someone who reports to him/her? Do those with approval authority ensure that both travel expenses are accurately coded to correct organization codes and account codes so that expenses are accurately reflected in budgetary reports and financial statements? Has department management established any department-specific policies or guidelines relating to travel and entertainment or business meal expense reimbursement? If so, please attach a copy or provide a URL.
7/17/2008
FINANCIAL AFFAIRS AUDIT INFORMATION PROJECT ______
Some- Req Yes No Job Aids for Units Handling Cash, Credit Cards and PCI Compliance Times Info
Are the daily money collections reviewed by a supervisor no later than one business day after receipt, and promptly deposited to the bank.
If mail/drop boxes are utilized, are there written handling procedures and are they followed?
Are there written procedures for handling cash shortages/overages and are they followed?
Are there written procedures regarding interactions with an armed courier and are they followed?
Do cashier log off their computers and lock their cash drawers when they were away from the office?
Does each cash draw have a unique lock/key?
Are there current, accurate logs of employees with cash drawer keys, cashier office keys, drop box combination/keys alarm codes, access cards and safe combinations?
Are there surprised, documented cash counts by management – including the reserve change fund?
Are there documented tests of the alarm systems?
Are transfer logs required in accepting deposits from other departments?
Is credit card information kept in the strictest confidence to protect cardholders?
Is all paper and electronic media pertaining to credit card transactions (including paper receipts, faxes, disks in employee desks and PC hard drives) kept physically secure?
Is all physical credit card information destroyed within five days?
I understand that the use of a credit card machine that displays the entire cardholder number is prohibited.
For additional information on the above, contact the Office of the Inspector General for FAU Audit 06/07-1 and FAU Audit 06/07-2
7/17/2008