Presentation on theme: "Getting Ready for an Internal Audit – Cycle 2"— Presentation transcript:
1Getting Ready for an Internal Audit – Cycle 2 4/11/2012Getting Ready for an Internal Audit – Cycle 2A Review of Internal Controls
2Areas that will be reviewed… 4/11/2012Areas that will be reviewed…FinancialA. Accounts ReceivableB. Cash Receipting & Petty CashC. Procurement Human ResourcesA. Employee Termination ProcessInformation SystemsA. Security ControlsB. Backup & RecoveryGeneralA. Scholarship Award ProcessB. Policies & Procedures
34/11/2012I. FINANCIALA. Accounts Receivable B. Cash Receipting & Petty Cash C. Procurement
44/11/2012A. Accounts Receivable1. Monthly aging schedules or other adequate tracking methods must be used/documented to track past due accounts.Amounts owed to departments should be monitored monthly.Forgiving a debt is an impermissible donation, which is against Mississippi Constitution (Article 4, Section 100).Amounts owed (account balances) can be monitored using an accounts receivable (A/R) aging schedule.Aging schedules can be prepared using accounting software (i.e. QuickBooks, Excel, etc).
5What is an Accounts Receivable Aging Schedule? February 23, 20114/11/2012What is an Accounts Receivable Aging Schedule?An accounts receivable aging schedule is a list of all customers who are allowed to delay payment (i.e. charge items that they purchase from the department).The schedule shows who owes money, how much, and how current their balance is.Aging schedules are normally categorized as 0-30 days; days; days.
6Accounts Receivable Aging Schedule 4/11/2012Accounts Receivable Aging ScheduleCustomer payments are normally broken down into one of the following categories:Current: amounts where the payment date has not passed (i.e. sales made during the current month).1 – 30 days: outstanding amounts where payment date has passed 1 – 30 days31 – 60 days: outstanding amounts where payment date has passed 31 – 60 days61 – 90 days: outstanding amounts where payment date has passed 61 – 90 days90+ days: outstanding amounts where payment date has passed over 90 daysUsually consists of 7 columns setup as follows:Column 1: Customer nameColumn 2: Total customer A/R amount (Current days days, etc.)Columns 3 – 7: Aging categories (Current, 1 – 30 days, 31 – 60, etc.)
7Example of an Accounts Receivable Aging Schedule 4/11/2012Example of an Accounts Receivable Aging ScheduleCustomer NameTotal A/RCurrent1-30 Days Past Due31-60 Days Past Due61-90 Days Past DueOver 90 Days Past DueJohn Adams1,600300500-Suzy Jones2,800Jim Davis1,2001,000200Tom SmithLucy Walters2,0001,100400Total9,2005,2002,600900
84/11/2012A. Accounts Receivable2. Documentation must exist to prove timely/routine attempts to collect past due accounts.Department should follow-up monthly on past due amounts:LettersPhone callsDocumentationCopies of letters and s should be kept in customer’s fileCollection calls should be documented (i.e. who spoke with whom, summary of the conversation, date, time, etc.)RetentionCopies of letters, s, or call documentation should be retained in the customer’s file.Documentation should be kept in the department for 7 years.
94/11/2012A. Accounts Receivable3. Payroll deductions must be uploaded in a timely manner and monitored adequately.Departments must monitor to ensure that funds are received from payroll deductions.Departments should monitor for rejected charges resulting from mismatched names, incorrect ID, etc.Without monitoring, funds may not be received and services may continue to be provided without payment.
104/11/2012A. Accounts Receivable4. Bursar accounts must be uploaded in a timely manner and adequately monitored.Departments should monitor to ensure that funds due to the department are received.Departments should monitor for rejected charges resulting from mismatched names, incorrect ID, etc.If problems are detected, they should be addressed immediately to ensure that problematic items are uploaded.
11February 23, 20114/11/2012A. Accounts Receivable5. Duties related to receiving funds, posting customer accounts, and reconciling must be adequately separated.The same employee should not be responsible for receiving funds, writing receipts, preparing deposits, and updating accounts.No single employee should have access to funds AND the ability to update accounts.
12How We Test Accounts Receivable 4/11/2012How We Test Accounts ReceivableControls 1 & 2: Select 2 monthly aging schedules & select a sample of 5 customers from each schedule.Verify that A/R aging schedule is correctInspect files to see that collection follow-up is occurringControl 3: Select a sample of 5 fees that should have been uploaded as payroll deductions.Verify that fee uploaded correctlyVerify that fee uploaded timely
13How We Test Accounts Receivable (continued) 4/11/2012How We Test Accounts Receivable (continued)Control 4: Select a sample of 5 fees that should have been uploaded as bursar charges.Verify that fee uploaded correctlyVerify that fee uploaded timelyControl 5: Combination of interview and inspection of documentation during testing to determine if there are proper segregation of duties.
14B. Cash Receipting & Petty Cash 4/11/2012B. Cash Receipting & Petty Cash1. Departmental cash receipting and petty cash procedures must be in accordance with university policy.The forms used are:The University of Mississippi official receipt. Cash receipt books can be ordered on the Internal Audit Website at the following link:(2) The Cash Report, which can be found on the Internal Audit Website at the following link:Once accumulated funds have reached $100, a deposit should be made; however, deposits should be processed no less than weekly regardless of the amount of receipts.
15B. Cash Receipting & Petty Cash 4/11/2012B. Cash Receipting & Petty CashWhen a department receives funds (i.e. cash, checks or credit card payments), the following steps apply:1. Checks received should be carefully examined for complete information Specifically:a. The amount, both numerical and written, must be accurate,b. The payor’s proper signature must be included, andc. Checks should be made payable to The University of Mississippi, as opposed to a department or individual.If all information is correct, the check must be immediately endorsed with a restrictive endorsement. (Contact the Bursar’s Office for required restrictive endorsement information.)2. An official university receipt must be prepared by the department and processed as follows:
16University Cash Receipt Example 4/11/2012University Cash Receipt Example
17University Cash Receipt Example (Continued) 4/11/2012University Cash Receipt Example (Continued)
18B. Cash Receipting & Petty Cash 4/11/2012B. Cash Receipting & Petty Casha. The original copy (white) is given to the payor.b. The second copy (yellow) is attached to the department’s copy of the cash report and maintained within the department.c. The remaining copy (pink) is kept in the receipt book by the department for three fiscal years.d. If an error is made when preparing a receipt, all copies should be marked “VOID”. The department should retain all three copies of the voided receipt in the receipt book.Note: As illustrated above, cash receipts must be completed as follows:Department nameDate, including the yearAmountPayor’s nameDetailed description of the source of revenue to be completed in the “For” section of the cash receipt. The description should be adequate enough to enable the employee completing the Cash Report to know which account and G/L code should be used.Type of payment (i.e. cash, check, or other)Signature of person accepting the payment3. The department completes the cash report:
19University Cash Report Example 4/11/2012University Cash Report Example
20B. Cash Receipting & Petty Cash 4/11/2012B. Cash Receipting & Petty Casha. All reports must be numbered consecutively beginning each fiscal year (July 1st) with the number 1. b. The departmental name must appear on the form. c. The report must reflect the beginning and ending dates in which all cash, checks or credit card payments are receipted. Note: Cash Report dates should match cash receipt dates and funds must be receipted when received. d. The complete business area, general ledger number (BA-G/L No.), and profit center or short A/C Assignment number must appear on the form. Additional columns are available if funds are to be credited to multiple G/L numbers and profit centers/cost centers. e. The report must reflect beginning and ending official receipt numbers corresponding to the funds to be deposited. Note: If a department uses multiple cash receipt books, the numbers from each series should be shown separately.
21B. Cash Receipting & Petty Cash 4/11/2012B. Cash Receipting & Petty Cashf. Amounts must be totaled and recorded in the space provided (Total Receipts).g. Total credit card amounts must be subtracted from Total Receipts and included in the space provided (Less Total Credit Card Amts).h. The breakdown of the deposit (silver, currency, and/or checks) must be recorded in the space provided (Deposited as Follows). The total of the breakdown must equal Total Amount Deposited to Bursar.i. Any overage or shortage (difference between Total to be Accounted For and Total Amount Deposited to Bursar) must be recorded in the space provided. Note: If an overage or shortage is reflected on the form, an explanation should also be noted.j. Checks must be added twice and both adding machine tapes attached to the checks.k. The report must be signed by the department head.Note: The report should also be signed and dated by the preparer and counter, if separate from the preparer.
22B. Cash Receipting & Petty Cash 4/11/2012B. Cash Receipting & Petty Cash4. On a weekly basis, or when total receipts reach $100, the department should deliver the cash report and all corresponding funds to the Bursar’s Office for the following steps: a. The deposit is processed by the Bursar’s Office. b. A Bursar’s receipt is given to the department to be filed with a copy of the cash report and corresponding yellow official receipts in the department. c. The Bursar’s receipt number is recorded on the cash report. d. The original cash report is filed in the Bursar’s Office.
23B. Cash Receipting 2. Funds must be adequately safeguarded. 4/11/2012B. Cash Receipting2. Funds must be adequately safeguarded.Access to the funds should be restricted to a few individuals.Funds should be kept in a secure location until deposited (i.e. lockbox, locked desk drawer, etc.).
244/11/2012B. Cash Receipting3. Duties related to receipting, preparing deposits, and reconciliation of funds must be adequately separated.The same employee should not receive funds, prepare the deposit, and reconcile.One way to separate is to have the same employee receive funds and reconcile, and another employee prepare the deposit.
254/11/2012B. Cash ReceiptingIf a department receives a lot of revenues, reconciliation should include performing a revenue trend analysis (i.e. monthly, quarterly, or annually). This should be performed by someone other than the employee responsible for receiving funds and preparing cash reports.
264/11/2012Petty CashWhen a petty cash custodian transfers or terminates from a department, a petty cash audit must be requested from internal audit and university records should be updated.Petty cash funds on hand must equal the amount recorded in the university general ledger. Fund custodian is responsible for any shortages.Cashing personal checks and IOUs or “borrowing” from petty cash for personal use is implicitly disallowed.
27How We Test Cash Receipting 4/11/2012How We Test Cash ReceiptingControl 1: Select 2 months of cash reports and select a sample of 5 from each month.Verify reports are consecutively numbered each fiscal year & numbers start over each July.Verify reports and receipt books are retained by the department for 3 years.Verify copies of Bursar receipts and correct cash receipt copy is attached to Cash Report.Review receipt books and verify receipt copies: white – payer, yellow – cash report, pink – stays in receipt book. Verify all three copies of voided receipts are in receipt book.Verify deposits are recorded correctly, timely, and cash reports are filled out correctly.Verify checks are made payable to the University of Mississippi.
28How We Test Cash Receipting (continued) 4/11/2012How We Test Cash Receipting (continued)Control 2: Combination of interview and inspection to determine if funds are safeguarded.Control 3: Combination of interview and inspection of documentation during testing to determine if there are proper segregation of duties.
29Related University Policy 4/11/2012Related University PolicyCash Receipting and Reporting (Policy Code: ADM.AC )Petty Cash (Policy Code: ADM.AC )
304/11/2012Sales Tax LiabilityDepartments must work with the Accounting Office to determine if revenue collected within the department requires the collection and reporting of sales tax.If sales tax is required, departmental employees must implement proper procedures to ensure that sales tax is reported accurately and timely.If sales tax is not collected and reported in a timely manner, the result could be monetary penalties to the University.
314/11/2012C. Procurement1. Expenditures must be adequately documented to fully explain purchases.A clear business purpose should be recorded for all P-card purchases, Request for Payments, Purchase Requisitions, Purchase Orders, and G/L Account Posting Document backup. This can be achieved in one of the following ways:Writing business purpose on document copy sent to procurementWriting business purpose on document copy retained by departmentCreating a spreadsheet maintained by the department that lists each expense and its business purpose
324/11/2012C. Procurement2. Adequate documentation must be maintained to support fuel card expenditures.Fuel receipts should be submitted to appropriate departmental personnel in a timely manner for reconciliation and submission to Procurement Services.UM Vehicle/Asset number should be noted on fuel receipts.Fuel receipts and statements should be submitted to Procurement Services with Request for Payments.Copies of fuel receipts, corresponding statements, and Request for Payments should be retained within the department.Fuel related documentation (i.e. Request for Payment) must contain adequate explanation of the business purpose of the expenditures.There should not be any food or drink charges to the fuel card.
33Did you know… Fuel cannot be charged for personal use. 4/11/2012Did you know…Fuel cannot be charged for personal use.Only departments with university vehicles can apply for a departmental fuel card.Fuel card applications must go through Shelley Morrison in Procurement Services.Reconciliation of fuel charges can be delegated to other employees by the department head/signatory officer; however, the delegation should be included in the departmental policy and procedure manual.Responsibility for reconciling fuel charges should not be delegated to employees purchasing fuel.Signatory officers should review fuel reconciliations/receipts for reasonableness and appropriateness when approving/signing the Request for Payment.
344/11/2012Did you know….Fuel cards should NOT be used in the Oxford area. Use PPD Fueling Station instead.Fueling Station has fuel available It operates by having an assigned fuel key, coded to a specific vehicle, with specific employee ID numbers that are approved to purchase fuel. To use one of the fuel pumps, plug in your unique key, type in on the pump’s key pad the SAP employee number, the vehicle unit number, and the current mileage.PPD produces a monthly fuel report for each vehicle that purchased fuel, which is sent to all users to place in the monthly IHL Vehicle Report compiled by Patti Mooney.
354/11/2012C. Procurement3. Request for Payments must be signed/approved by signatory officers.Employees cannot sign the signatory’s name on Request for Payments.The signatory’s name cannot be stamped on Request for Payments.
364/11/2012C. Procurement4. Documentation must be maintained to fully explain the purpose of purchases processed as interdepartmental charges (i.e. Inn at Ole Miss, Printing, etc.).
37Examples: Inn at Ole Miss Housing & Other Space Rental 4/11/2012Examples:Inn at Ole MissDepartments should have a copy of the G/L Account Posting Document and itemized charges for each room.Departments should note on documents the business purpose for the individual’s stay.Housing & Other Space RentalDepartments should have an interdepartmental invoice or request.A clear business purpose/explanation should be included with/attached to these documents.Printing ServicesDepartments should have a packing slip, quote, or request.A clear business purpose should be included with/attached to these documents.Ole Miss ExpressDepartments should have an / memorandum request with a clear explanation of the business purpose.
384/11/2012C. Procurement5. Duties related to purchasing, approving, and reconciling must be adequately separated.The same individual should not be purchasing, approving, and reconciling.Someone other than the individual responsible for purchasing (i.e. processing purchase requisitions) should be receiving Purchasing Notification Reports.
39How We Test Procurement 4/11/2012How We Test ProcurementControl 1: Select a sample of P-card and Request for Payment expenses to see if adequate documentation exists.Control 2: Select a sample of fuel card expenses to see if adequate documentation exists.Control 3: Select a sample of Request for Payments and inspect documentation to verify if they were signed/approved by signatory officers.
40How We Test Procurement (continued) 4/11/2012How We Test Procurement (continued)Control 4: Select a sample of interdepartmental charges (i.e. G/L documents) to see if adequate documentation exists.Control 5: Check recipients of Purchasing Notification Reports (PNRs). (PNRs should be reviewed by appropriate personnel. Failure to contact the Office of Procurement Services within 2 business days will be interpreted as approval of these transactions.)
41Related University Policy 4/11/2012Related University PolicyDocumentation of Financial Transactions (Policy Code: ADM.AC )Use of Procurement Card (Policy Code: PUR.PC )
42General Procurement Information: 4/11/2012General Procurement Information:Department heads are responsible for unallowable items paid, NOT Procurement Services.Signatory officers are responsible for monitoring expenses submitted for payment to ensure compliance with university policy and state law. Monitoring includes determining if an expense is appropriate/allowable and if adequate documentation/explanation is provided.Documents should not be submitted with the intent of Procurement Services’ personnel making this determination.Departments are responsible for ensuring that appropriate/authorized signatures are recorded on all expenditure documents.
43General Procurement Information: 4/11/2012General Procurement Information:Alcohol cannot be reimbursed with university funds. This must be clearly communicated to all departmental employees. To help ensure compliance, receipts/documents should be reviewed by the department head or his/her designee prior to submission for reimbursement.Document examples:Receipts included with requests for reimbursementReceipts related to procurement card purchasesHotel bills related to university travel (i.e. mini bar charges)
44February 23, 20114/11/2012II. HUMAN RESOURCES A. Employee Termination Process (includes resignations or transfers to another department)
45Related University Correspondence February 23, 20114/11/2012Related University CorrespondenceAn excerpt from the August 8, 2007 Chancellor’s regarding the Mandatory Exit Checklist for Terminating/Transferring Employees:“Effective immediately, the Employee Exit Checklist…must be completed and forwarded to Human Resources for all non-student employees terminating from or transferring within the University.”
46A. Employee Termination Process February 23, 20114/11/2012A. Employee Termination Process1. The University’s Employee Exit Checklist must be used consistently within the department.Accounting (i.e. payroll) and security risks (i.e. network access) arise when the University is not aware of employees changing departments or leaving the University.The Employee Exit Checklist must be completed anytime an employee terminates from the University or transfers departments within the University.This form can be accessed through the Human Resources website.Completed checklists must be forwarded to Human Resources.A non-mandatory Student Exit Checklist is also available on the Human Resources website for departmental use. These should not be forwarded to Human Resources.
49A. Employee Termination Process February 23, 20114/11/2012A. Employee Termination Process2. The Accounting Office must be contacted to change signatory officers or recipients of Monthly Budget Statements.Controls that rely solely on the automated s sent by SAP (i.e. Budget Statements, Purchasing Notification Reports, etc.) will not be effective if accounting records are not updated.Signatory Officers must be updated anytime turnover occurs (i.e. a signatory officer terminates).Signatory officers should be reviewed in SAP or on Monthly Budget Statements periodically for accuracy.To request a change in signatory officer, Ms. Nina Jones in the Accounting Office.Maintain a copy of the request (i.e. ) with the departmental copy of the Employee Exit Checklist.
50How We Test Employee Termination 4/11/2012How We Test Employee TerminationControls 1 & 2: Select a sample of employees that have either transferred to a different department or have left the University.Verify that an Exit Checklist was completed for the employee.Verify that employee was removed as signatory officer and/or recipient of budget statements and Purchasing Notification Reports.
51Related University Policy February 23, 20114/11/2012Related University PolicyTerminal Interviews (Policy Code: HRO.EM )
52III. INFORMATION SYSTEMS Getting Ready for an Internal Audit4/11/2012III. INFORMATION SYSTEMSA. Security ControlsB. Backup and RecoveryRemember these are applicable to both PCs and Macs!A Review of Internal Controls: Internal Control Assessment
53A. Security Controls (Physical) Getting Ready for an Internal Audit4/11/2012A. Security Controls (Physical)Adequate controls must be in place to secure sensitive data, as well as equipment, against theft or physical damage.Physical access to servers maintained within the department should be restricted (i.e. should be in an office or locked room).Physical access to computers should be safeguarded against theft (i.e. laptops should not be left unattended when taken out of the office; computers should not be left in an unlocked area after hours, etc).More departments are now using external hard drives. These must have restricted access as well.Server rooms should have a fire extinguisher. Contact PPD for appropriate type.A Review of Internal Controls: Internal Control Assessment
544/11/2012A. Security ControlsIt is recommended that departmental personnel determine if confidential data must be maintained on their computers; confidential data should not be maintained if it is accessible online (i.e. SAP). Maintaining confidential data exposes the department and University to security breach risks.According to Mississippi Data Breach Notification Law, Miss. Code Ann. § , “A person who conducts business in this state shall disclose any breach of security to all affected individuals. The disclosure shall be made without unreasonable delay…”In addition to the state law description, other types of data, such as student grades and classified research, are considered confidential by the University and federal law.
55A. Security Controls (Logical) Getting Ready for an Internal Audit4/11/2012A. Security Controls (Logical)2. Access to university records must be adequately restricted through the use of unique user ids and passwords.Laptops, desktops, servers, SAP, other software programs (i.e. QuickBooks), etc. should require a unique user id and password to log on.User ids and passwords should not be visually displayed.User ids and passwords should never be shared.We recommend that computers be set to require a password once the screen saver appears (i.e. the computer remains dormant for a period of time).A Review of Internal Controls: Internal Control Assessment
56Getting Ready for an Internal Audit 4/11/2012A. Security Controls3. The latest anti-virus software and operating system (OS) patches must be installed on all departmental computers and servers.Viruses are costly to the University in terms of data loss, staff time to recover systems, and delay of important work.Departments are responsible for purchasing virus protection software for all departmental machines.Employees are responsible for:Updating virus protection software regularlyConfiguring machines to perform frequent (at least weekly) automatic full system scansBeing careful when opening attachmentsReporting all significant virus incidents to the IT HelpdeskA Review of Internal Controls: Internal Control Assessment
57Windows 7 Auto OS Update Setting 4/11/2012Windows 7 Auto OS Update Setting
58Symantec Anti-Virus Full Scan Setting 4/11/2012Symantec Anti-Virus Full Scan Setting
594/11/2012A. Security Controls4. Servers containing critical and confidential information must have a hardware firewall.To help avoid unauthorized access to data by employees, hackers, etc.To help reduce viruses/attacks to university systems.Confidential information cannot be stored on external systems/servers (3rd party applications) unless contracts include certain provisions relating to confidential information (Section 11 of the Information Confidentiality/Security Policy).
60Getting Ready for an Internal Audit 4/11/2012A. Security Controls5. Servers which contain confidential information or have open ports, and computers which contain confidential information must be registered with the Campus Security Coordinator.(Departments can contact David Drewrey’s office to determine if the server has open ports.)Vulnerability scans are performed on registered servers.To register, log into portal via, then click the “Tools and Resources” tab at the top to get to the Server Registry.A Review of Internal Controls: Internal Control Assessment60
614/11/2012The decision as to whether a machine has Critical or Non-Critical data will depend on each department and user.
62How We Test Security Controls 4/11/2012How We Test Security ControlsControls 1 – 3: Select a sample of computers (PCs and Macs) and servers (internal and external).Verify physical security by inspection and employee inquiry.Perform vulnerability scans to check for computers with high security risks.Verify the use of unique user IDs and passwords by inspection and employee inquiry.Verify the computer/server has adequate anti-virus, receives regular updates, etc.Control 4: Verify that computers and servers with confidential information are protected by a firewall.Control 5: Verify that appropriate computers and servers are registered with the Campus Security Coordinator.Note: We will NEVER look at personal files while we are performing testing; we are only looking for security settings.
63Getting Ready for an Internal Audit 4/11/2012B. Backup and Recovery1. Routine backup procedures must be established for departmental computers.Specific departmental procedures, including how to backup and how often, should be documented in the departmental policies and procedures manual, which should be reviewed by all employees.Backups should be scheduled to run automatically on a routine basis.We suggest that critical data be backed up daily and non-critical data be backed up weekly or semi-weekly.Automatic backups can be setup through Windows Backup Utility, Mac Time Capsule, etc.We don’t recommend backups to a USB drive because they can be lost or stolen very easily.A departmental employee should be assigned the responsibility for ensuring that adequate backups are performed.A detailed recovery plan should be established and included in the policies and procedures manual.A Review of Internal Controls: Internal Control Assessment
64How We Test Backup and Recovery 4/11/2012How We Test Backup and RecoveryControl 1: Select a sample of computers (PCs and Macs) and servers (internal).Verify that computers and servers are backed up appropriately based on the type of data that it contains.Determine if backups are being performed manually or automatically by the system.If an external hard drive is used for backup, determine if it is kept physically secure.
65Related University Policies Getting Ready for an Internal Audit4/11/2012Related University PoliciesAnti-Virus Protection for UM Computers (Policy Code: ACA.IT )IT Appropriate Use (Policy Code: ACA.IT )Information Confidentiality/Security (Policy Code: ACA.IT )A Review of Internal Controls: Internal Control Assessment
66General Information Regarding Information Systems: 4/11/2012General Information Regarding Information Systems:All departmental SAP users, as well as any employee using and/or maintaining electronic confidential and/or critical data should attend Security Awareness Training every two years.Departments should track and document attendance for employees required to attend Security Awareness Training.Confidential information should not be forwarded through . Use the secure document exchange in myOleMiss.
67IV. GENERAL A. Scholarship Award Process B. Policies and Procedures 4/11/2012IV. GENERALA. Scholarship Award ProcessB. Policies and Procedures
68A. Scholarship Award Process 4/11/2012A. Scholarship Award Process1. The department must establish a formal process by which scholarship applicants are reviewed and selected.Formal Process should include:Documentation as to the funding source of scholarships (i.e. grants, departmental budget, etc.)Description of the Application ProcessGuidelines of awarding scholarships including: minimum criteria, who decides the recipient and the amount of the award, if anyone is ineligible from receiving the scholarship (i.e. family members of faculty staff within the department)Having more than one individual involved in the selection processMaintain good documentation, especially if family members of departmental personnel are awarded scholarships.
69How We Test Scholarship Awards 4/11/2012How We Test Scholarship AwardsControl 1: Select 5 scholarship recipients.Determine if the award process was documented, including the selection of each scholarship winner.
70B. Policies and Procedures 4/11/2012B. Policies and Procedures1. Documented departmental policies and procedures must be established for areas under review.Written departmental policies and procedures should be developed for all areas reviewed.Within departmental manual, include a list of university policies related to the department / areas so employees (especially new employees) are aware of them.Periodically review university policies related to their areas to help determine if changes or updates are needed to maintain compliance .Personnel should be assigned to perform duties in the event of another employee’s absence.Written departmental policies and procedures will help to ensure that data is recorded accurately, procedures are performed consistently, and new and backup personnel have necessary information to help maintain continuity of operations.
71How We Test Policies and Procedures 4/11/2012How We Test Policies and ProceduresControl 1: Obtain departmental policies and procedures manual.Review for all areas covered under our ICA audit.Determine whether manual has been communicated to/reviewed by departmental employees.Determine whether there is documentation of communication to employees (i.e. , signatures indicating review, etc).Determine whether there is a process in place to update annually.