Presentation is loading. Please wait.

Presentation is loading. Please wait.

Basic Departmental Internal Controls Presented by The Office of Internal Audit 2010 Office of Internal Audit Integrity ∙ Accountability ∙ Security.

Similar presentations


Presentation on theme: "Basic Departmental Internal Controls Presented by The Office of Internal Audit 2010 Office of Internal Audit Integrity ∙ Accountability ∙ Security."— Presentation transcript:

1 Basic Departmental Internal Controls Presented by The Office of Internal Audit 2010 Office of Internal Audit Integrity ∙ Accountability ∙ Security

2 Office of Internal Audit Integrity ∙ Accountability ∙ Security Basic Control Assessment Report Our training today is going to focus on the fifteen areas reviewed in the report

3 Office of Internal Audit Integrity ∙ Accountability ∙ Security 1. RECONCILIATION OF ACCOUNT BALANCE 2. LEAVE 3. RECORDS OF HOURS WORKED 4. PAYROLL PROCESS 5. COMPENSATORY TIME BALANCES 6. CASH ON HAND 7. CASH RECEIPTS/HANDLING 8. APPROVAL 9. PROCUREMENT CARD 10. LONG DISTANCE / CELL PHONE CHARGES 11. PROPERTY MANAGEMENT 12. FACILITIES MANAGEMENT Fifteen Key Areas 13. SPONSORED RESEARCH 14. INFORMATION SECURITY 15. General Administration & FLEET CARD

4 Office of Internal Audit Integrity ∙ Accountability ∙ Security A. RECONCILIATION OF ACCOUNT BALANCES See policy “Account Reconciliation”, 61.01

5 Office of Internal Audit Integrity ∙ Accountability ∙ Security Reconciliation methods will vary depending on the size of the department and/or the account being reconciled. All reconciliations should be supported by a Banner ledger report such as FWREXEG or FWREXDP. A. RECONCILIATION OF ACCOUNT BALANCES

6 Office of Internal Audit Integrity ∙ Accountability ∙ Security FWREXEG 1. Documentation exists to support timely reconciliation of departmental accounts on a consistent basis. Must be: 1.Timely; 2.Supported by detailed ledger report; 3.Reconciled consistently. A. RECONCILIATION OF ACCOUNT BALANCES

7 Office of Internal Audit Integrity ∙ Accountability ∙ Security FWREXEG 2. Documentation exists to support … reviewed … timely … by the … department head, designee, or principal investigator. Must be: 1.Signed by reconciler; 2.Signed by reviewer; Without Documentation (I.E. signature) cannot verify that review took place. A. RECONCILIATION OF ACCOUNT BALANCES

8 What is the purpose of review? The purpose of reviewing a reconciliation or any other document is to ensure the document appears accurate. Therefore, the reviewer should be someone who was knowledgeable regarding the area being presented and would be able to identify errors or irregularities.

9 Office of Internal Audit Integrity ∙ Accountability ∙ Security FWREXDP Same requirements apply for non-E&G (I.E., timely, detailed, consistent). Except, “…principal investigators should always review their own (research) account reconciliations”. – OP 61.01 Required to ensure compliance with OMB A-21 and OMB A-133. A. RECONCILIATION OF ACCOUNT BALANCES

10 Office of Internal Audit Integrity ∙ Accountability ∙ Security 3. Departmental account fund balances appear adequately provided for without significant deficits. We and departments should be concerned about: 1. Accounts with significant deficits. 2. Accounts with negative change without expectation of relief. FZICHFB -200,000.00 100,000.00 -100,000.00 -300,000.00 A. RECONCILIATION OF ACCOUNT BALANCES

11 Office of Internal Audit Integrity ∙ Accountability ∙ Security B. LEAVE See policies: HRM 60-201; and AOP 13.13

12 Applies to all employees, faculty and staff. Office of Internal Audit Integrity ∙ Accountability ∙ Security B. LEAVE 1. All eligible employees appear to be reporting leave usage. Being reviewed by our office during assessments and annually university wide. The authorizing or taking leave without the completion and submission of appropriate leave forms is considered a misuse of assets (policy 01.19) and would be subject to disciplinary action.

13 Each department should have one individual responsible for reviewing/ reconciling leave processed/input to leave reported in Banner. Office of Internal Audit Integrity ∙ Accountability ∙ Security B. LEAVE 2. Documentation exists to support that leave usage and balances are reviewed timely. Must have documentation of review/reconciliation. Should be initialed by reviewer. - Errors in leave balances are found in many of our control assessments!

14 Office of Internal Audit Integrity ∙ Accountability ∙ Security B. LEAVE 2. Documentation exists to support that leave usage and balances are reviewed timely.

15 Must have documentation that the leave of the individual responsible for processing leave is also reviewed. Office of Internal Audit Integrity ∙ Accountability ∙ Security B. LEAVE 3. Documentation exists to support independent review of the processor's leave. Must have documentation of review such as reconciliation initialed or signed by department head or designee.

16 Based on federal/state law, rules and regs. Office of Internal Audit Integrity ∙ Accountability ∙ Security C. RECORDS OF HOURS WORKED 1. Time sheets/cards are maintained by the department for all non-exempt employees. Non-exempt employees include: - Clerical/Secretarial - Technical/Paraprofessional - Skilled Crafts - Service/Maintenance - Temporary Employees

17 Generally any employee that shows up on the Post-Time Entry report that is printed after entering time. Office of Internal Audit Integrity ∙ Accountability ∙ Security 1. Time sheets/cards are maintained by the department for all non-exempt employees. PERS requires a time record for all rehired retirees. Non exempt retirees use standard time report. Exempt retirees would use Rehired Retiree Work Record (Both forms located on HRM website). C. RECORDS OF HOURS WORKED

18 Office of Internal Audit Integrity ∙ Accountability ∙ Security 2. Time sheets/cards appear accurate and include the recording of both leave and compensatory time. Leave and comp time forms should be compared to timesheets to ensure they agree. C. RECORDS OF HOURS WORKED

19 Office of Internal Audit Integrity ∙ Accountability ∙ Security 3/4. Time sheets/cards are signed and dated by the employee/ supervisor after the time period being reported. Signatures document agreement as to the hours worked. C. RECORDS OF HOURS WORKED

20 Office of Internal Audit Integrity ∙ Accountability ∙ Security D. PAYROLL PROCESS In our review/assessment of the payroll process our main objective is to ensure that hourly employees are paid for the hours worked and recorded on the timesheets. This should not be to the exclusion of salaried/exempt employees pay. If possible all pay should be reconciled, including that of salaried/exempt employees.

21 Office of Internal Audit Integrity ∙ Accountability ∙ Security D. PAYROLL PROCESS (Timesheet to Ledger) 1. Documentation exists to support that time sheets are reconciled to Post Time Entry Reports. Timesheet showing 5.25 hours

22 Office of Internal Audit Integrity ∙ Accountability ∙ Security 1. Documentation exists to support that time sheets are reconciled to Post Time Entry Reports. Timesheet 5.25 hours Post-Time Entry Report 5.25 hours D. PAYROLL PROCESS (Timesheet to Ledger)

23 Office of Internal Audit Integrity ∙ Accountability ∙ Security 2. Documentation exists to support that Post Time Entry Reports are reconciled to Payroll Vouchers. Post-Time Entry Report 5.25 hours Payroll Voucher 5.25 hours for total pay of $30.71 D. PAYROLL PROCESS (Timesheet to Ledger)

24 Office of Internal Audit Integrity ∙ Accountability ∙ Security 3. Documentation exists to support that Payroll Vouchers are reconciled to Banner. Payroll Voucher 5.25 hours for total pay of $30.71 Ledger Report pay of $30.71 D. PAYROLL PROCESS (Timesheet to Ledger)

25 Office of Internal Audit Integrity ∙ Accountability ∙ Security ( Timesheet to Ledger) D. PAYROLL PROCESS

26 No Payroll Voucher? 1.Reconcile directly from Post-Time Entry Report (PTER) to Banner; or 2.Use Banner report PWRDSPV or PWRVOCC

27 Office of Internal Audit Integrity ∙ Accountability ∙ Security 4. Payroll duties appear to be adequately separated. The more duties are separated the better the internal controls. At a minimum, two persons should be involved in the payroll process. Note – Time sheets should not be delivered for input by the employee or student represented. After reviewing and signing, the supervisor should forward timesheets for processing. D. PAYROLL PROCESS

28 Office of Internal Audit Integrity ∙ Accountability ∙ Security E. COMPENSATORY TIME BALANCES 1. Documentation exists to support that compensatory time balances are reconciled by one individual. Comp balances should be reconciled to time sheets and documentation retained/maintained by one individual. Each employee that accrues comp time should not be responsible with keeping up with their own comp time.

29 Office of Internal Audit Integrity ∙ Accountability ∙ Security 2. Documentation exists to support that the reconciler’s compensatory time balance is reviewed. Many times the individual responsible for maintaining comp balances also accrues comp time. If so, someone else should review their comp balance. - Review documented by reviewers initials. E. COMPENSATORY TIME BALANCES

30 Office of Internal Audit Integrity ∙ Accountability ∙ Security Departments are HIGHLY encouraged to maintain compensatory time balances in Banner. This provides a centralized and uniform process that provides greater internal control. E. COMPENSATORY TIME BALANCES

31 Office of Internal Audit Integrity ∙ Accountability ∙ Security F. CASH ON HAND 1. Documentation exists to support that cash on hand is properly reconciled. Petty cash or change funds must be reconciled in a timely manner and accurately reflect amounts indicated in Banner. If you receive cash how do you make change unless you have a change fund? - University funds used for change must be recorded in Banner.

32 Office of Internal Audit Integrity ∙ Accountability ∙ Security 2. Cash appears to be adequately safeguarded. Change funds and cash receipts should be kept secure, preferably locked away in a fireproof safe or file cabinet. F. CASH ON HAND

33 Office of Internal Audit Integrity ∙ Accountability ∙ Security G. CASH RECEIPTS/HANDLING See the “Cash Handling” policy 62.07

34 Office of Internal Audit Integrity ∙ Accountability ∙ Security 1. Documentation exists to support that cash receipts are reconciled to Banner. Account reconciliation should include the reconciliation of cash receipts. However, during our control assessments we have noted most departments reconcile expenditures but few reconcile cash. Documentation of cash received, especially currency or checks received directly by the department, should be reconciled from receipt documentation (cash receipt form, cash log, etc.) to BANNER. G. CASH RECEIPTS/HANDLING

35 Office of Internal Audit Integrity ∙ Accountability ∙ Security 2. A pre-numbered receipt, cash log, register tape, or etc. is used to document cash received. Must have some documentation that provides accurate record of funds received in order to reconcile. G. CASH RECEIPTS/HANDLING

36 Office of Internal Audit Integrity ∙ Accountability ∙ Security 3. Cash is physically safeguarded in a secured area until deposit. As was stated with change funds, cash receipts should be kept secure, preferably locked away in a fireproof safe or file cabinet. Cash receipts should be deposited weekly or when balance reaches $200, whichever comes first. (OP 62.07) G. CASH RECEIPTS/HANDLING

37 Office of Internal Audit Integrity ∙ Accountability ∙ Security Note – Because of the “liquid” nature of cash this area may receive more scrutiny than any other during a control assessment. It is highly recommended for individual departments to get out of the cash (includes currency and checks) collection business if at all possible. If cash is being collected from students other alternatives should be considered such as direct charges to student’s accounts receivable instead of receiving cash. G. CASH RECEIPTS/HANDLING

38 Office of Internal Audit Integrity ∙ Accountability ∙ Security I. PROCUREMENT/FLEET CARD 1. Card transactions are adequately supported and reconciled to bank statements. Someone needs to be looking at the transactions on the statement and comparing them to actual vendor receipts to make sure they appear appropriate. Once again, need documentation, I.E., initials of reconciler, tick marks, and supporting documents.

39 Office of Internal Audit Integrity ∙ Accountability ∙ Security FLEET CARDS We are now including a review of fleet card transactions in our control assessments. This includes any fuel cards Shell, Chevron, BP, Fuelman. Will need detailed statements that show what was purchased, when purchased, quantity, and price. Should be supported by detailed receipts. Should be tied to a specific vehicle and or other use. (For vehicles should be tied to vehicle log). We must be able to prove/verify that purchase was made for the use/benefit of university.

40 Office of Internal Audit Integrity ∙ Accountability ∙ Security 2. Documentation exists to support review of card journal entries and statements. This is a review by someone other than the reconciler. Must be documented (Bank/credit card statement also initialed by reviewer) Reviewer must be knowledgeable about what should or shouldn’t be purchased/charged on the card and should question unusual purchases. I. PROCUREMENT/FLEET CARD This includes Fleet/Gas Card Statements

41 Office of Internal Audit Integrity ∙ Accountability ∙ Security 3. A sign in sheet, containing adequate information, is maintained to record card users. The need for and/or amount of information necessary on a sign in sheet depends on the number of individuals allowed to use a given procurement card the frequency of transactions. Should include who, what, when(date & time), where, why, and how much. - documentation must be adequate to determine who made a particular purchase and why it is a legitimate University purchase. I. PROCUREMENT/FLEET CARD

42 Office of Internal Audit Integrity ∙ Accountability ∙ Security 4. All cards are kept in a secure place such as a locked drawer or file cabinet. Yes you can take it out to use, but keep it safe, don’t carry it around when you don’t need it. Don’t carry on weekends or on vacation or even overnight if you don’t have to!! I. PROCUREMENT/FLEET CARD

43 Office of Internal Audit Integrity ∙ Accountability ∙ Security J. LONG DISTANCE PHONE CHARGES 1. Documentation exists to support that statements are reviewed by the responsible employee. Employees responsible for LDS number should review. Each Employee making long distance calls should have their own unique LDS number.

44 Office of Internal Audit Integrity ∙ Accountability ∙ Security 2. Documentation exists to support that statements are reviewed by the department head/designee. Department head or designee should review. Need to document by signing or initialing statement. J. LONG DISTANCE PHONE CHARGES

45 Office of Internal Audit Integrity ∙ Accountability ∙ Security K. PROPERTY MANAGEMENT 1. Documentation exists to support annual observation of inventory by someone other than or in addition to the inventory representative. Adequate internal controls require having more than one person involved in custody/monitoring/ processing of assets.

46 Office of Internal Audit Integrity ∙ Accountability ∙ Security 1. Documentation exists to support annual observation of inventory by someone other than or in addition to the inventory representative. At least once a year someone other than the person normally responsible, should make sure everything can be accounted for! We recommend this be done during the physical inventory required by receiving and property control. Once again, must be documented (I.E., have inventory observer sign the property report). (person should be involved in observation process) K. PROPERTY MANAGEMENT

47 Office of Internal Audit Integrity ∙ Accountability ∙ Security 2. Documentation exists to support the use of Hand Receipts for the removal of property off campus. When it is necessary to remove equipment from assigned department in order to conduct official University business, a hand receipt should be kept on file by the department with a copy forwarded to R&PC. This includes cell phones and laptops. (MSU Property Manual) The idea is to be able to either produce the actual property item or documentation of where it is at all times. K. PROPERTY MANAGEMENT

48 Office of Internal Audit Integrity ∙ Accountability ∙ Security 3. Documentation exists to support independent observation when processing Hand Receipts. Whenever a hand receipt is issued, the inventory representative must physically observe the equipment in question. This includes when initial hand receipt is issued or when it is updated every twelve months. (I.E. independent verification of the property). K. PROPERTY MANAGEMENT

49 Office of Internal Audit Integrity ∙ Accountability ∙ Security 4. Documentation exists to adequately support vehicle fuel and maintenance expenditures. How much does it cost to operate and maintain your departments vehicle? A fuel and maintenance log should be kept for each vehicle that records all related expenditures. This should include the type (fuel, oil, repair) and the cost. The log should include the odometer reading (mileage) when the expenditure took place. K. PROPERTY MANAGEMENT

50 Vehicle log books are now available from Receiving and Property Control K. FLEET MANAGEMENT

51 Vehicle log books are now available from Receiving and Property Control K. FLEET MANAGEMENT

52 Vehicle log books are now available from Receiving and Property Control K. FLEET MANAGEMENT

53 Office of Internal Audit Integrity ∙ Accountability ∙ Security 5. Documentation exists to support adherence to Fleet Management Guidelines. How many of you new we even had Fleet Management Guidelines? Located @ http://www.procurement.msstate.edu Documentation would include appropriate vehicle records, employee vehicle use forms. K. PROPERTY MANAGEMENT

54 Office of Internal Audit Integrity ∙ Accountability ∙ Security 1. Documentation exists to support the maintenance of an accurate record of keys issued and periodic analysis of missing keys to ensure adequate security. When was the last time your office, suite, building and/or facility was keyed or rekeyed? Can you account for all keys issued? Are people, property, and information adequately secured? L. FACILITIES MANAGEMENT

55 Office of Internal Audit Integrity ∙ Accountability ∙ Security L. FACILITIES MANAGEMENT 1. Documentation exists to support the maintenance of an accurate record of keys issued and periodic analysis of missing keys to ensure adequate security. Each department should have a current and accurate list of all keys issued to the department (and keys issued by the department to employees) to ensure that all keys can be accounted for and to help reduce the chance that access to sensitive/restricted areas could be gained by unauthorized persons.

56 Office of Internal Audit Integrity ∙ Accountability ∙ Security M. SPONSORED RESEARCH 1. Documentation exists to support the timely, accurate completion of Confirmation of Effort reports by someone with a suitable means of verification that the work was performed. This is a federal regulation (OMB A-21). “Suitable means of verification” is straight out of OMB A-21. This infers that the individual signing the form has received definitive and verifiable confirmation from the individual performing the work or from an individual that has specific knowledge of the work. Verification should be accompanied by written documentation.

57 Office of Internal Audit Integrity ∙ Accountability ∙ Security M. SPONSORED RESEARCH 1. Documentation exists to support the timely, accurate completion of Confirmation of Effort reports by someone with a suitable means of verification that the work was performed. Therefore, the person signing the confirmation should either be the individual represented, the Principle Investigator, or someone with documented verification as to the effort being reported.

58 Office of Internal Audit Integrity ∙ Accountability ∙ Security M. SPONSORED RESEARCH 1. Documentation exists to support the timely, accurate completion of Confirmation of Effort reports by someone with a suitable means of verification that the work was performed. If you have non-exempt employees being charged to sponsored projects then timesheets must provide sufficient documentation as to how much time was spent on a specific project. Additional care should be taken if individual work on multiple projects during a given time period.

59 Office of Internal Audit Integrity ∙ Accountability ∙ Security N. INFORMATION SECURITY 1. Sensitive information appears to be adequately secured. Sensitive Information would include but is not limited to: Social Security Numbers Credit Card Numbers Patient medical records Financial records (donor, student, employee) Personnel/Human Resources records Student records (scores, transcripts, etc.) Passwords, access codes, encryption keys Research data

60 Office of Internal Audit Integrity ∙ Accountability ∙ Security N. INFORMATION SECURITY 1. Sensitive information appears to be adequately secured. For any sensitive info: Access should be limited to only with those with a need to know. Physical (paper) documents should be kept safe and locked in a secure area. Departmental policy should require password protection on computers and encryption software on laptops. Local area networks should be properly secured.

61 Office of Internal Audit Integrity ∙ Accountability ∙ Security N. INFORMATION SECURITY 2. Documentation exists to support compliance with information security policies. Policies in question would include: Information Security Policy, 01.10 Social Security Number Usage, 01.23

62 Office of Internal Audit Integrity ∙ Accountability ∙ Security N. INFORMATION SECURITY 2. Documentation exists to support compliance with information security policies. By July of 2006, the SSN will no longer be used as the primary identifier of individuals associated with MSU….. - (Social Security Number Usage, 01.23) So quit using it for: - Time Sheets - EAFS (other than original employment) - Travel - Any other document where it is not required!

63 Office of Internal Audit Integrity ∙ Accountability ∙ Security N. INFORMATION SECURITY 2. Documentation exists to support compliance with information security policies. At this point the control assessments focus mainly on the “Social Security Number Usage” policy, 01.23, which requires the following forms for the following situations: - Form SSN01 for storing SSNs in computer system. - Form SSN02 for generating files and reports with SSNs. - Form SSN03 for transmitting unencrypted SSNs off campus. - Form SSN04 for employees with electronic access to SSNs. - Form SSN05 for solicitation of SSNs. - "Employee SSN Confidentiality Statement” for employees with access to SSNs. (Will apply to almost all departments since if you hire employees you will have to get SSNs for payroll/tax purposes).

64 Office of Internal Audit Integrity ∙ Accountability ∙ Security N. INFORMATION SECURITY 3. Documentation exists to support compliance with software licensing agreements. Per OP 01.12, “Examples of inappropriate and unacceptable use of computing and networking resources….violation of software license agreements”. Departments must have proof of ownership/license agreements for software used on university computers. Documentation could include actual license agreement or copy of vendor invoice. University (ITS) does not maintain license for departments even for some software “pushed” or accessed from the super server.

65 Office of Internal Audit Integrity ∙ Accountability ∙ Security N. INFORMATION SECURITY 4. Documentation exists to support completion of information security training by appropriate persons. Per MSU’s Information Security Program, all employees who have access to sensitive information must complete the online information security certification. Internal Audit can and will run a report that tells us who has and has not completed said certification. The certification can be found on the onCampus website under the “Office” tab. Departments can monitor their employee’s completion of the certification by running banner report PWRISTL.

66 Office of Internal Audit Integrity ∙ Accountability ∙ Security O. GENERAL ADMINISTRATION 1. Current desk manual exists for critical departmental controls and procedures. We recommend that a desk manual be developed detailing critical procedures in the event of hiring a new employee or temporary worker substituting for an absent employee. We recommend that the manual detail tasks to be completed daily and tasks completed periodically/monthly with recommended timelines. The manual should be reviewed periodically with any changes noted.

67 Office of Internal Audit Integrity ∙ Accountability ∙ Security O. GENERAL ADMINISTRATION 2. Required postings of information maintained within department.. Whistleblower poster. During assessments we will request to see where these postings are displayed.

68 Office of Internal Audit Integrity ∙ Accountability ∙ Security Record Retention There is no official MSU or IHL retention Policy. We recommend for most documents such as department copies of purchases, invoices, ledgers, procard statements and support, and etc: Current Year plus three prior.

69 Office of Internal Audit Integrity ∙ Accountability ∙ Security Record Retention Specific HR/Payroll Guidance (HRM 60-109): Departmental Employee File If a department maintains a departmental employee file, upon the employee’s separation, the file must be forwarded to HRM. Leave Records Copies of Application for Leave and associated documents will be retained for four calendar years. Leave records older than four years will be destroyed. Time Records Departments who have non-exempt employees should retain the employee time sheets for a minimum of four years.

70 Office of Internal Audit Integrity ∙ Accountability ∙ Security Record Retention Exceptions: Any documents that support sponsored/externally funded expenditures must be retained according to the grant/contract/authoritative document. May be longer than 3 or 4 years. Need to talk to Registrar regarding student files and Provost regarding faculty files.


Download ppt "Basic Departmental Internal Controls Presented by The Office of Internal Audit 2010 Office of Internal Audit Integrity ∙ Accountability ∙ Security."

Similar presentations


Ads by Google