Getting Ready for an Internal Audit Cycle 2

Getting Ready for an Internal Audit – Cycle 2 A Review of Internal Controls 1

Areas that will be reviewed… I. Financial A. Accounts Receivable B. Cash Receipting & Petty Cash C. Procurement II. Human Resources A. Employee Termination Process III. Information Systems A. Security Controls B. Backup & Recovery IV. General A. Scholarship Award Process B. Policies & Procedures 2

I. FINANCIAL A. Accounts Receivable B. Cash Receipting & Petty Cash C. Procurement 3

A. Accounts Receivable 1. Monthly aging schedules or other adequate tracking methods must be used/documented to track past due accounts. Amounts owed to departments should be monitored monthly. Forgiving a debt is an impermissible donation, which is against Mississippi Constitution (Article 4, Section 100). Amounts owed (account balances) can be monitored using an accounts receivable (A/R) aging schedule. Aging schedules can be prepared using accounting software (i. e. Quick. Books, Excel, etc). 4

What is an Accounts Receivable Aging Schedule? An accounts receivable aging schedule is a list of all customers who are allowed to delay payment (i. e. charge items that they purchase from the department). The schedule shows who owes money, how much, and how current their balance is. Aging schedules are normally categorized as 0 -30 days; 30 -60 days; 60 -90 days.

Accounts Receivable Aging Schedule Customer payments are normally broken down into one of the following categories: – Current: amounts where the payment date has not passed (i. e. sales made during the current month). – 1 – 30 days: outstanding amounts where payment date has passed 1 – 30 days – 31 – 60 days: outstanding amounts where payment date has passed 31 – 60 days – 61 – 90 days: outstanding amounts where payment date has passed 61 – 90 days – 90+ days: outstanding amounts where payment date has passed over 90 days Usually consists of 7 columns setup as follows: – – – Column 1: Customer name Column 2: Total customer A/R amount (Current + 1 -30 days + 31 -60 days, etc. ) Columns 3 – 7: Aging categories (Current, 1 – 30 days, 31 – 60, etc. ) 6

Example of an Accounts Receivable Aging Schedule Customer Name John Adams Suzy Jones Jim Davis Tom Smith Lucy Walters Total 31 -60 61 -90 Over 90 1 -30 Days Past Total A/R Current Past Due Due 1, 600 2, 800 1, 200 1, 600 2, 000 9, 200 300 500 - 300 2, 800 - 1, 000 - 200 - 1, 600 - 1, 100 500 400 - 5, 200 2, 600 900 200 300 7

A. Accounts Receivable 2. Documentation must exist to prove timely/routine attempts to collect past due accounts. Department should follow-up monthly on past due amounts: – Letters – Phone calls – Email Documentation – Copies of letters and emails should be kept in customer’s file – Collection calls should be documented (i. e. who spoke with whom, summary of the conversation, date, time, etc. ) Retention – Copies of letters, emails, or call documentation should be retained in the customer’s file. – Documentation should be kept in the department for 7 years. 8

A. Accounts Receivable 3. Payroll deductions must be uploaded in a timely manner and monitored adequately. Departments must monitor to ensure that funds are received from payroll deductions. Departments should monitor for rejected charges resulting from mismatched names, incorrect ID, etc. Without monitoring, funds may not be received and services may continue to be provided without payment. 9

A. Accounts Receivable 4. Bursar accounts must be uploaded in a timely manner and adequately monitored. Departments should monitor to ensure that funds due to the department are received. Departments should monitor for rejected charges resulting from mismatched names, incorrect ID, etc. If problems are detected, they should be addressed immediately to ensure that problematic items are uploaded. 10

A. Accounts Receivable 5. Duties related to receiving funds, posting customer accounts, and reconciling must be adequately separated. The same employee should not be responsible for receiving funds, writing receipts, preparing deposits, and updating accounts. No single employee should have access to funds AND the ability to update accounts.

How We Test Accounts Receivable Controls 1 & 2: Select 2 monthly aging schedules & select a sample of 5 customers from each schedule. – Verify that A/R aging schedule is correct – Inspect files to see that collection follow-up is occurring Control 3: Select a sample of 5 fees that should have been uploaded as payroll deductions. – Verify that fee uploaded correctly – Verify that fee uploaded timely 12

How We Test Accounts Receivable (continued) Control 4: Select a sample of 5 fees that should have been uploaded as bursar charges. – Verify that fee uploaded correctly – Verify that fee uploaded timely Control 5: Combination of interview and inspection of documentation during testing to determine if there are proper segregation of duties. 13

B. Cash Receipting & Petty Cash 1. Departmental cash receipting and petty cash procedures must be in accordance with university policy. The forms used are: (1) The University of Mississippi official receipt. Cash receipt books can be ordered on the Internal Audit Website at the following link: http: //www. olemiss. edu/depts/internal_audit/receiptbook 1. htm (2) The Cash Report, which can be found on the Internal Audit Website at the following link: http: //www. olemiss. edu/depts/internal_audit/cashreport. htm Once accumulated funds have reached $100, a deposit should be made; however, deposits should be processed no less than weekly regardless of the amount of receipts. 14

B. Cash Receipting & Petty Cash When a department receives funds (i. e. cash, checks or credit card payments), the following steps apply: 1. Checks received should be carefully examined for complete information. Specifically: a. b. c. The amount, both numerical and written, must be accurate, The payor’s proper signature must be included, and Checks should be made payable to The University of Mississippi, as opposed to a department or individual. If all information is correct, the check must be immediately endorsed with a restrictive endorsement. (Contact the Bursar’s Office for required restrictive endorsement information. ) 2. An official university receipt must be prepared by the department and processed as follows: 15

University Cash Receipt Example 16

University Cash Receipt Example (Continued) 17

B. Cash Receipting & Petty Cash a. b. The original copy (white) is given to the payor. The second copy (yellow) is attached to the department’s copy of the cash report and maintained within the department. The remaining copy (pink) is kept in the receipt book by the department for three fiscal years. If an error is made when preparing a receipt, all copies should be marked “VOID”. The department should retain all three copies of the voided receipt in the receipt book. c. d. Note: As illustrated above, cash receipts must be completed as follows: – – – – Department name Date, including the year Amount Payor’s name Detailed description of the source of revenue to be completed in the “For” section of the cash receipt. The description should be adequate enough to enable the employee completing the Cash Report to know which account and G/L code should be used. Type of payment (i. e. cash, check, or other) Signature of person accepting the payment 3. The department completes the cash report: 18

University Cash Report Example 19

B. Cash Receipting & Petty Cash a. b. c. d. e. All reports must be numbered consecutively beginning each fiscal year (July 1 st) with the number 1. The departmental name must appear on the form. The report must reflect the beginning and ending dates in which all cash, checks or credit card payments are receipted. Note: Cash Report dates should match cash receipt dates and funds must be receipted when received. The complete business area, general ledger number (BA-G/L No. ), and profit center or short A/C Assignment number must appear on the form. Additional columns are available if funds are to be credited to multiple G/L numbers and profit centers/cost centers. The report must reflect beginning and ending official receipt numbers corresponding to the funds to be deposited. Note: If a department uses multiple cash receipt books, the numbers from each series should be shown separately. 20

B. Cash Receipting & Petty Cash f. g. h. i. j. k. Amounts must be totaled and recorded in the space provided (Total Receipts). Total credit card amounts must be subtracted from Total Receipts and included in the space provided (Less Total Credit Card Amts). The breakdown of the deposit (silver, currency, and/or checks) must be recorded in the space provided (Deposited as Follows). The total of the breakdown must equal Total Amount Deposited to Bursar. Any overage or shortage (difference between Total to be Accounted For and Total Amount Deposited to Bursar) must be recorded in the space provided. Note: If an overage or shortage is reflected on the form, an explanation should also be noted. Checks must be added twice and both adding machine tapes attached to the checks. The report must be signed by the department head. Note: The report should also be signed and dated by the preparer and counter, 21 if separate from the preparer.

B. Cash Receipting & Petty Cash 4. On a weekly basis, or when total receipts reach $100, the department should deliver the cash report and all corresponding funds to the Bursar’s Office for the following steps: a. b. c. d. The deposit is processed by the Bursar’s Office. A Bursar’s receipt is given to the department to be filed with a copy of the cash report and corresponding yellow official receipts in the department. The Bursar’s receipt number is recorded on the cash report. The original cash report is filed in the Bursar’s Office. 22

B. Cash Receipting 2. Funds must be adequately safeguarded. Access to the funds should be restricted to a few individuals. Funds should be kept in a secure location until deposited (i. e. lockbox, locked desk drawer, etc. ). 23

B. Cash Receipting 3. Duties related to receipting, preparing deposits, and reconciliation of funds must be adequately separated. The same employee should not receive funds, prepare the deposit, and reconcile. One way to separate is to have the same employee receive funds and reconcile, and another employee prepare the deposit. 24

B. Cash Receipting If a department receives a lot of revenues, reconciliation should include performing a revenue trend analysis (i. e. monthly, quarterly, or annually). This should be performed by someone other than the employee responsible for receiving funds and preparing cash reports. 25

Petty Cash When a petty cash custodian transfers or terminates from a department, a petty cash audit must be requested from internal audit and university records should be updated. Petty cash funds on hand must equal the amount recorded in the university general ledger. Fund custodian is responsible for any shortages. Cashing personal checks and IOUs or “borrowing” from petty cash for personal use is implicitly disallowed. 26

How We Test Cash Receipting Control 1: Select 2 months of cash reports and select a sample of 5 from each month. – Verify reports are consecutively numbered each fiscal year & numbers start over each July. – Verify reports and receipt books are retained by the department for 3 years. – Verify copies of Bursar receipts and correct cash receipt copy is attached to Cash Report. – Review receipt books and verify receipt copies: white – payer, yellow – cash report, pink – stays in receipt book. Verify all three copies of voided receipts are in receipt book. – Verify deposits are recorded correctly, timely, and cash reports are filled out correctly. – Verify checks are made payable to the University of Mississippi. 27

How We Test Cash Receipting (continued) Control 2: Combination of interview and inspection to determine if funds are safeguarded. Control 3: Combination of interview and inspection of documentation during testing to determine if there are proper segregation of duties. 28

Related University Policy Cash Receipting and Reporting (Policy Code: ADM. AC. 400. 200) Petty Cash (Policy Code: ADM. AC. 400. 100) 29

Sales Tax Liability Departments must work with the Accounting Office to determine if revenue collected within the department requires the collection and reporting of sales tax. If sales tax is required, departmental employees must implement proper procedures to ensure that sales tax is reported accurately and timely. If sales tax is not collected and reported in a timely manner, the result could be monetary penalties to the University. 30

C. Procurement 1. Expenditures must be adequately documented to fully explain purchases. A clear business purpose should be recorded for all P -card purchases, Request for Payments, Purchase Requisitions, Purchase Orders, and G/L Account Posting Document backup. This can be achieved in one of the following ways: – Writing business purpose on document copy sent to procurement – Writing business purpose on document copy retained by department – Creating a spreadsheet maintained by the department that lists each expense and its business purpose 31

C. Procurement 2. Adequate documentation must be maintained to support fuel card expenditures. Fuel receipts should be submitted to appropriate departmental personnel in a timely manner for reconciliation and submission to Procurement Services. UM Vehicle/Asset number should be noted on fuel receipts. Fuel receipts and statements should be submitted to Procurement Services with Request for Payments. Copies of fuel receipts, corresponding statements, and Request for Payments should be retained within the department. Fuel related documentation (i. e. Request for Payment) must contain adequate explanation of the business purpose of the expenditures. There should not be any food or drink charges to the fuel card. 32

Did you know… Fuel cannot be charged for personal use. Only departments with university vehicles can apply for a departmental fuel card. Fuel card applications must go through Shelley Morrison in Procurement Services. Reconciliation of fuel charges can be delegated to other employees by the department head/signatory officer; however, the delegation should be included in the departmental policy and procedure manual. Responsibility for reconciling fuel charges should not be delegated to employees purchasing fuel. Signatory officers should review fuel reconciliations/receipts for reasonableness and appropriateness when approving/signing the Request for Payment. 33

Did you know…. Fuel cards should NOT be used in the Oxford area. Use PPD Fueling Station instead. Fueling Station has fuel available 24 -7. It operates by having an assigned fuel key, coded to a specific vehicle, with specific employee ID numbers that are approved to purchase fuel. To use one of the fuel pumps, plug in your unique key, type in on the pump’s key pad the SAP employee number, the vehicle unit number, and the current mileage. PPD produces a monthly fuel report for each vehicle that purchased fuel, which is sent to all users to place in the monthly IHL Vehicle Report compiled by Patti Mooney. 34

C. Procurement 3. Request for Payments must be signed/approved by signatory officers. Employees cannot sign the signatory’s name on Request for Payments. . The signatory’s name cannot be stamped on Request for Payments 35

C. Procurement 4. Documentation must be maintained to fully explain the purpose of purchases processed as interdepartmental charges (i. e. Inn at Ole Miss, Printing, etc. ). 36

Examples: Inn at Ole Miss – Departments should have a copy of the G/L Account Posting Document and itemized charges for each room. – Departments should note on documents the business purpose for the individual’s stay. Housing & Other Space Rental – Departments should have an interdepartmental invoice or email request. – A clear business purpose/explanation should be included with/attached to these documents. Printing Services – Departments should have a packing slip, quote, or email request. – A clear business purpose should be included with/attached to these documents. Ole Miss Express – Departments should have an email/ memorandum request with a clear explanation of the business purpose. 37

C. Procurement 5. Duties related to purchasing, approving, and reconciling must be adequately separated. The same individual should not be purchasing, approving, and reconciling. Someone other than the individual responsible for purchasing (i. e. processing purchase requisitions) should be receiving Purchasing Notification Reports. 38

How We Test Procurement Control 1: Select a sample of P-card and Request for Payment expenses to see if adequate documentation exists. Control 2: Select a sample of fuel card expenses to see if adequate documentation exists. Control 3: Select a sample of Request for Payments and inspect documentation to verify if they were signed/approved by signatory officers. 39

How We Test Procurement (continued) Control 4: Select a sample of interdepartmental charges (i. e. G/L documents) to see if adequate documentation exists. Control 5: Check recipients of Purchasing Notification Reports (PNRs). (PNRs should be reviewed by appropriate personnel. Failure to contact the Office of Procurement Services within 2 business days will be interpreted as approval of these transactions. ) 40

Related University Policy Documentation of Financial Transactions (Policy Code: ADM. AC. 200) Use of Procurement Card (Policy Code: PUR. PC. 107. 002) 41

General Procurement Information: Department heads are responsible for unallowable items paid, NOT Procurement Services. Signatory officers are responsible for monitoring expenses submitted for payment to ensure compliance with university policy and state law. Monitoring includes determining if an expense is appropriate/allowable and if adequate documentation/explanation is provided. Documents should not be submitted with the intent of Procurement Services’ personnel making this determination. Departments are responsible for ensuring that appropriate/authorized signatures are recorded on all expenditure documents. 42

General Procurement Information: Alcohol cannot be reimbursed with university funds. This must be clearly communicated to all departmental employees. To help ensure compliance, receipts/documents should be reviewed by the department head or his/her designee prior to submission for reimbursement. Document examples: – – – Receipts included with requests for reimbursement Receipts related to procurement card purchases Hotel bills related to university travel (i. e. mini bar charges) 43

II. HUMAN RESOURCES A. Employee Termination Process (includes resignations or transfers to another department)

Related University Correspondence An excerpt from the August 8, 2007 Chancellor’s email regarding the Mandatory Exit Checklist for Terminating/Transferring Employees: “Effective immediately, the Employee Exit Checklist…must be completed and forwarded to Human Resources for all nonstudent employees terminating from or transferring within the University. ”

A. Employee Termination Process 1. The University’s Employee Exit Checklist must be used consistently within the department. Accounting (i. e. payroll) and security risks (i. e. network access) arise when the University is not aware of employees changing departments or leaving the University. The Employee Exit Checklist must be completed anytime an employee terminates from the University or transfers departments within the University. This form can be accessed through the Human Resources website. Completed checklists must be forwarded to Human Resources. A non-mandatory Student Exit Checklist is also available on the Human Resources website for departmental use. These should not be forwarded to Human Resources.

Employee Exit Checklist 47

Student Employee Exit Checklist 48

A. Employee Termination Process 2. The Accounting Office must be contacted to change signatory officers or recipients of Monthly Budget Statements. Controls that rely solely on the automated emails sent by SAP (i. e. Budget Statements, Purchasing Notification Reports, etc. ) will not be effective if accounting records are not updated. Signatory Officers must be updated anytime turnover occurs (i. e. a signatory officer terminates). Signatory officers should be reviewed in SAP or on Monthly Budget Statements periodically for accuracy. To request a change in signatory officer, email Ms. Nina Jones in the Accounting Office. Maintain a copy of the request (i. e. email) with the departmental copy of the Employee Exit Checklist.

How We Test Employee Termination Controls 1 & 2: Select a sample of employees that have either transferred to a different department or have left the University. - Verify that an Exit Checklist was completed for the employee. - Verify that employee was removed as signatory officer and/or recipient of budget statements and Purchasing Notification Reports. 50

Related University Policy Terminal Interviews (Policy Code: HRO. EM. 300. 270)

III. INFORMATION SYSTEMS A. Security Controls B. Backup and Recovery Remember these are applicable to both PCs and Macs! 52

A. Security Controls (Physical) 1. Adequate controls must be in place to secure sensitive data, as well as equipment, against theft or physical damage. Physical access to servers maintained within the department should be restricted (i. e. should be in an office or locked room). Physical access to computers should be safeguarded against theft (i. e. laptops should not be left unattended when taken out of the office; computers should not be left in an unlocked area after hours, etc). More departments are now using external hard drives. These must have restricted access as well. Server rooms should have a fire extinguisher. Contact PPD for appropriate type. 53

A. Security Controls It is recommended that departmental personnel determine if confidential data must be maintained on their computers; confidential data should not be maintained if it is accessible online (i. e. SAP). Maintaining confidential data exposes the department and University to security breach risks. According to Mississippi Data Breach Notification Law, Miss. Code Ann. § 75 -24 -29, “A person who conducts business in this state shall disclose any breach of security to all affected individuals. The disclosure shall be made without unreasonable delay…” In addition to the state law description, other types of data, such as student grades and classified research, are considered confidential by the University and federal law. 54

A. Security Controls (Logical) 2. Access to university records must be adequately restricted through the use of unique user ids and passwords. Laptops, desktops, servers, SAP, other software programs (i. e. Quick. Books), etc. should require a unique user id and password to log on. User ids and passwords should not be visually displayed. User ids and passwords should never be shared. We recommend that computers be set to require a password once the screen saver appears (i. e. the computer remains dormant for a period of time). 55

A. Security Controls 3. The latest anti-virus software and operating system (OS) patches must be installed on all departmental computers and servers. Viruses are costly to the University in terms of data loss, staff time to recover systems, and delay of important work. Departments are responsible for purchasing virus protection software for all departmental machines. Employees are responsible for: – Updating virus protection software regularly – Configuring machines to perform frequent (at least weekly) automatic full system scans – Being careful when opening attachments – Reporting all significant virus incidents to the IT Helpdesk 56

Windows 7 Auto OS Update Setting 57

Symantec Anti-Virus Full Scan Setting 58

A. Security Controls 4. Servers containing critical and confidential information must have a hardware firewall. To help avoid unauthorized access to data by employees, hackers, etc. To help reduce viruses/attacks to university systems. Confidential information cannot be stored on external systems/servers (3 rd party applications) unless contracts include certain provisions relating to confidential information (Section 11 of the Information Confidentiality/Security Policy). 59

A. Security Controls 5. Servers which contain confidential information or have open ports, and computers which contain confidential information must be registered with the Campus Security Coordinator. (Departments can contact David Drewrey’s office to determine if the server has open ports. ) Vulnerability scans are performed on registered servers. To register, log into portal via, http: //my. olemiss. edu then click the “Tools and Resources” tab at the top to get to the Server Registry. 60

The decision as to whether a machine has Critical or Non-Critical data will depend on each department and user. 61

How We Test Security Controls 1 – 3: Select a sample of computers (PCs and Macs) and servers (internal and external). – Verify physical security by inspection and employee inquiry. – Perform vulnerability scans to check for computers with high security risks. – Verify the use of unique user IDs and passwords by inspection and employee inquiry. – Verify the computer/server has adequate anti-virus, receives regular updates, etc. Control 4: Verify that computers and servers with confidential information are protected by a firewall. Control 5: Verify that appropriate computers and servers are registered with the Campus Security Coordinator. Note: We will NEVER look at personal files while we are performing testing; we are only looking for security settings. 62

B. Backup and Recovery 1. Routine backup procedures must be established for departmental computers. Specific departmental procedures, including how to backup and how often, should be documented in the departmental policies and procedures manual, which should be reviewed by all employees. Backups should be scheduled to run automatically on a routine basis. – We suggest that critical data be backed up daily and non-critical data be backed up weekly or semi-weekly. – Automatic backups can be setup through Windows Backup Utility, Mac Time Capsule, etc. – We don’t recommend backups to a USB drive because they can be lost or stolen very easily. A departmental employee should be assigned the responsibility for ensuring that adequate backups are performed. A detailed recovery plan should be established and included in the policies and procedures manual. 63

How We Test Backup and Recovery Control 1: Select a sample of computers (PCs and Macs) and servers (internal). – Verify that computers and servers are backed up appropriately based on the type of data that it contains. – Determine if backups are being performed manually or automatically by the system. – If an external hard drive is used for backup, determine if it is kept physically secure. 64

Related University Policies Anti-Virus Protection for UM Computers (Policy Code: ACA. IT. 100. 040) IT Appropriate Use (Policy Code: ACA. IT. 100. 010) Information Confidentiality/Security (Policy Code: ACA. IT. 400. 030) 65

General Information Regarding Information Systems: All departmental SAP users, as well as any employee using and/or maintaining electronic confidential and/or critical data should attend Security Awareness Training every two years. Departments should track and document attendance for employees required to attend Security Awareness Training. Confidential information should not be forwarded through email. Use the secure document exchange in my. Ole. Miss. 66

IV. GENERAL A. Scholarship Award Process B. Policies and Procedures 67

A. Scholarship Award Process 1. The department must establish a formal process by which scholarship applicants are reviewed and selected. Formal Process should include: – – – Documentation as to the funding source of scholarships (i. e. grants, departmental budget, etc. ) Description of the Application Process Guidelines of awarding scholarships including: minimum criteria, who decides the recipient and the amount of the award, if anyone is ineligible from receiving the scholarship (i. e. family members of faculty staff within the department) Having more than one individual involved in the selection process Maintain good documentation, especially if family members of departmental personnel are awarded scholarships. 68

How We Test Scholarship Awards Control 1: Select 5 scholarship recipients. – Determine if the award process was documented, including the selection of each scholarship winner. 69

B. Policies and Procedures 1. Documented departmental policies and procedures must be established for areas under review. Written departmental policies and procedures should be developed for all areas reviewed. Within departmental manual, include a list of university policies related to the department / areas so employees (especially new employees) are aware of them. Periodically review university policies related to their areas to help determine if changes or updates are needed to maintain compliance. Personnel should be assigned to perform duties in the event of another employee’s absence. Written departmental policies and procedures will help to ensure that data is recorded accurately, procedures are performed consistently, and new and backup personnel have necessary information to help maintain continuity of operations. 70

How We Test Policies and Procedures Control 1: Obtain departmental policies and procedures manual. – Review for all areas covered under our ICA audit. – Determine whether manual has been communicated to/reviewed by departmental employees. – Determine whethere is documentation of communication to employees (i. e. email, signatures indicating review, etc). – Determine whethere is a process in place to update annually. 71

QUESTIONS? 72