This Finance Procedural Statement sets forth university requirements for the key components of internal controls, emphasizes the importance of preventive controls such as the segregation of duties and articulates the compensating controls that can be used by an organizational unit when adequate segregation of duties is not present.
Internal controls are critical because they promote the use of sound business and financial management practices. They focus on effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations, while simultaneously avoiding pitfalls and surprises along the way. Internal controls provide a comprehensive strategy for achieving:
Everyone within the University has some role in internal controls. The roles vary depending upon the individual's level of responsibility and respective job duties. The Board of Regents, President, and Officers establish the presence of integrity, ethics, and competence that are essential to creating and maintaining a positive internal controls environment. The fiscal principals have oversight responsibility for internal controls within their responsibility units. Fiscal managers operationalize internal controls by executing policies and procedures at the detail level within their responsibility units. Fiscal staff within an organizational unit must be cognizant of the internal controls associated with their specific job responsibilities. Refer to the Administrative Policy Statement (APS) Fiscal Roles and Responsibilities for more information about the types and related hierarchy of fiscal roles within the University.
Internal controls require adequate segregation of duties when performing a fiscal transaction. Adequate segregation of duties means that at least two individuals are involved with every fiscal transaction to ensure it is accurate and proper. Ideally, there should be at least two individuals involved with every fiscal transaction before it occurs to ensure adequate review for accuracy and to reduce the risk of impropriety. Segregation of duties is considered as being a preventive control because it prevents an event from occurring, rather than discovering an error after-the-act. The Finance System and Human Resource Management System (HRMS) are designed to enforce this segregation of duties by separating the key activities for fiscal transactions. The key activity groupings within the Finance System and HRMS are:
When these key activity groupings are split or separated between two or more individuals, then strong internal controls are present. However, if all of the activities within a particular grouping are done by one individual, then that person is said to be performing incompatible duties or is described as having incompatible access to the Finance System and/or HRMS. In this situation, internal controls are compromised, and compensating controls must be incorporated to provide reasonable assurance that fiscal transactions are being monitored for accuracy and propriety.
Compensating controls are less desirable than the segregation of duties internal control because compensating controls generally occur after the transaction is complete (post audit.) Also, it takes more resources to investigate and correct errors and to recover losses than it does to prevent the errors in the first place. However, in some rare circumstances, organizational units do not have the staff resources to establish adequate segregation of duties. In these instances, it is important for management to implement internal controls that compensate for this increased risk. Following is a list of compensating controls used at the University. An organizational unit must implement at least one of these compensating controls when an adequate segregation of duties is not present. Each of the acceptable compensating controls involves reviewing fiscal transactions recorded in the Finance System and listed on a report in the university's Reporting System.
Compensating controls cannot be delegated because such delegation would defeat the purpose of the compensating control. The compensating control must be carried out by the Reviewer identified through the respective system access process. In addition, the compensating control review must be physically documented by the Reviewer. For a compensating control in which the report is delivered and maintained electronically in the Reviewer's portal, the review may be documented in a log detailing when the review was performed. For other controls, the Reviewer should maintain a file with the physical copy of the report reviewed and sign and date the report with the review date.
Either Compensating Control A or Compensating Control B, as described below, must be performed by the Reviewer.
At a minimum, fiscal managers having fiscal staff who can perform all aspects of a key activity grouping should be doing a monthly review of their organizational unit's Revenue and Expense Statement Detail and Balance Sheet Statement Detail to identify, investigate, and correct improper charges. An adequate review will take into consideration the transaction date, vendor (where applicable), description, dollar amount and account. Step-by-Step Guides describing how to run and how to read reports are available on the Reporting System Step-by-Step Guides page of the Office of University Controller website.
The Reviewer can periodically pull and review the supporting documents for a transaction sample selected from transactions initiated by the person with incompatible access and charged to that person's responsibility unit. A sample can be generated using the Revenue and Expense Statement Detail and the Balance Sheet Statement Detail reports from the Reporting System or by querying directly against the Central Information Warehouse. An adequate review will consider the transaction date, vendor (where applicable), description, dollar amount and account. Step-by-Step Guides describing how to run and how to read reports are available on the Reporting System Step-by-Step Guides page of the Office of University Controller website.
Appendix A provides an in-depth look at both Compensating Control A and Compensating Control B.
Each month, when a Journal Entry is created by an individual using her or his incompatible access, the Reporting System will burst the Journal Entry Incompatible Access report to the MY.CU portal for review by the Reviewer. The report is accessible on the MY.REPORTS tab and is found in the second channel of the page. The Reviewer should review all transactions on this report for appropriateness and should investigate and remediate any concerns. An adequate review will take into consideration the transaction date, description, dollar amount, and account. The review must incorporate supporting documentation for all material Journal Entries. Material Journal entries are highlighted in the Journal Entry Incompatible Access report. Visit the Step-by-Step Guides on the Reporting System Step-by-Step Guides web page to get more information about how to access and navigate through the portal and to learn how to run and read the Journal Entry Incompatible Access report.
This audit report lists all compensation changes made to an employee's job record, including the addition of new jobs and the deletion of any rows, whether the actions are done in add, update/display, or correction mode. No system-generated updates, e.g., mass salary increases, are included. This report is available in HR Production, but at present is limited by operator security to the campus HR offices. Step-by-Step Guides for this report are in development, and when these are completed, more widespread training on the Job Data Compensation Change Audits report will begin.
This audit report lists all rate changes from the amount specified in Job Data (for example hourly override amounts) and flat amounts that are paid to an employee through time collection. This report does not include earnings codes that do not represent pay to the employee (for example BEX, which just increases an employee's taxable gross income.) This report is available in HR Production, but at present is limited by operator security to the campus HR offices. Step-by-Step Guides for this report are in development, and when these are completed, more widespread training on the Time Collection Compensation Override Audit report will begin.
If an organizational unit wants to strengthen further its internal controls, it can also implement the following compensating controls
Preparing and/or reviewing budgets, and also doing a trend analysis of expenses, can be a way to identify problem areas where further and more detailed review needs to take place.
Anyone having questions or needing other support with respect to internal controls or compensating controls should contact her or his campus Controller's office. Anyone with questions specific to HRMS security should contact the HRMS Access Coordinator for the respective campus.
Unless approved by the Assistant Vice President and University Controller, there are no exceptions to this procedural statement.