Internal Audit has documented the following miscellaneous procedures as a quick reference for departments. They represent university policies or best practices that Internal Audit believes will create good internal controls. This is not an all-inclusive list of all university procedures and, at any time, these procedures may change. Current policies and procedures can be found on the following websites: The Office of the Controller (https://www.cmich.edu/fas/fsr/OAC/Pages/default.aspx) Human Resources ( https://www.cmich.edu/fas/hr/Pages/default.aspx), Purchasing Services ( www.purchasing.cmich.edu), and General Counsel ( www.cmich.edu/office_president/general_counsel). If more detail is needed, contact the department listed or Internal Audit at extension 7082.
Check and Cash Handling
Though it is ideal to have revenue processed through the Student Account Services and University Billing, departments occasionally receive cash and checks directly from the payee. When this occurs, the following should be considered:
- Endorse checks immediately upon receipt. A proper endorsement includes "Central Michigan University" and "For Deposit Only" on the back of the check.
- Keep a cash receipts journal, a duplicate receipt copy or another suitable record when accepting payments.
- Retain cash receipts documentation in accordance with the records retention rules.
- Money collected should be kept in a secure location, such as a locked filing cabinet, locked box or safe. Keys or combinations should only be given to those employees that need them to perform their job responsibilities. Preferably, only two people (one serving as a backup) should have access to the keys or know the combinations. If an employee who has access to one of these devices leaves the employ of the department, keys should be returned and any combinations should be changed.
- If large sums of money are collected, deposits should be made frequently. Departments need to determine what amount they would be willing to put at risk when determining when a deposit should be made.
- The safety of employees who deliver deposits should be considered.
Suggestions for Cash Receipts
back to top
The department should establish written policies and procedures for processing cash receipts.
Internal control is a process effected by a college or university's governing board, administration, faculty and staff designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Cash receipts must be processed through Student Account Services and University Billing.
- Checks received by the department should be listed by a person independent of any further processing of the check (see next item). This same person should immediately restrictively endorse the check "Central Michigan University" and "For deposit only" on the back of the check.
- The department should establish a segregation of duties, so that the same person does not receive the cash/check, prepare the deposit for Student Account Services and University Billing and reconcile the deposit prepared for Student Account Services and University Billing to the account during the monthly reconciliation.
- Cash and checks received by the department should be deposited with Student Account Services and University Billing as soon as possible (preferably daily, depending on the volume of receipts).
- While in the department, cash and checks should be securely locked and access limited.
- If money collected is from the sale of taxable items, the department should calculate the amount of tax and deposit that amount into a separate sales tax account.
- Cash short/over amounts should be monitored.
If a department allows employees to work overtime and the employee elects the option of compensatory time, the actual hours of overtime worked should be recorded as compensatory time on the timesheet. This will be calculated at 1.5 times the hours reported. Contact the Payroll
office with specific questions.
A significant amount of money is spent each year on computer equipment. Departments rely heavily on information created, processed and stored on computers. Consequently, departments should implement good computer and password controls. See Suggestions for Computer Security and Suggestions for Password Security below for more information.
Suggestions for Computer Security
- Physical access to computers and disks should be limited as much as possible to protect against accidental damage and theft.
- Logical access should be limited to those users who need access to perform job responsibilities.
- Sufficient access controls, such as passwords, should be in place to ensure that employees using a computer are able to maintain the security of the information. Passwords should be at least 8 total characters with at least 1 uppercase alphabetic character, 1 lowercase alphabetic character, and 1 special character or number. They should be changed on a periodic basis or when a user leaves the department. See Suggestions for Password Security for further information.
- Computers logged on should not be left unattended.
- BIOS passwords (start up passwords that enable a computer to boot up), screen savers with passwords, and locking your computer or workstations when you are away from it are all great ways to prevent and deter unauthorized access to your computer or workstations.
- The department should back up critical files on a regular and timely basis. The back-up disks or tapes should be housed off-site. Contact the Office of Information Technology for additional information on daily backups of computer workstations.
- For continuity of operations, departments should document the computer processes and logic of critical functions, such as databases or worksheets.
- Unauthorized copying, storage or use of any software in violation of the software licensing agreement should be prohibited.
- To help guard against viruses, virus protection software should be continually used and updated weekly. This is available through the Office of Information Technology. Also, software should not be obtained from unknown or unreliable sources.
- Always use caution when opening email attachments. This is a favorite mechanism used for transmitting viruses. If an attachment has the extension .exe, .scr, .pif, .vbs, .bat, .zip, or a double extension such as .txt.doc, it is most likely a virus.
- Always remember that any confidential information (HIPAA, FERPA, GLB, etc.) is subject to additional security regulations.
Departments with servers or networks should identify a system administrator to coordinate these security considerations.
Decisions about the level of security should consider the value of the data being processed, the expense related to securing it, and the potential loss (both effort and dollars) if a security measure is not implemented.
Suggestions for Password Security
The following should be considered when choosing passwords:
- should be easy to remember
- should be difficult to guess
- should not be of a fixed length but rather, at least six (6) characters long.
- should be made up of letters, numbers, and special characters. Also try to mix upper case and lower case letters. This multiplies the number of different possible combinations.
- should not be displayed when inputted
- should be changed periodically by the user
- should be forced to change by the system administrator
- should not be dictionary words, either forwards or backwards
- the degree of password complexity should be greater than the data at risk
- should not be shared with anyone or used as a group of users "generic" password
- should not be posted or written down in an unsecured location (i.e. desk drawers)
- should be immediately changed if you suspect it was compromised
- should not be known by a supervisor or other staff
- should not be the same as your user ID
- should not be names of your pets or children, phone numbers, or street addresses (or any personal information)
back to top
Capitalized Equipment (all tangible, non-expendable property, having a useful life of more than one year and a value of $5,000 or more)
and Non-Capitalized Equipment (tagged with a purchase price of $1,000-$5,000 OR technology related)
should be verified annually. Typical "technology" related items include cameras, digital cameras, stereos, audio visual equipment, televisions, VCRs, DVDs, printers, computers, electronics, and digital media equipment. These items are tagged with university property identification tags to deter theft and provide a basis for university departments to conduct equipment inventory.
Fixed Assets should be notified of any assets that have been scrapped, stolen, sold, traded in, loaned out for an extended period, or transferred. If any equipment is delivered directly to the department, Assets should be notified so that the equipment can be tagged and added to the inventory list. Any unused or obsolete equipment should be given to Assets. If a department is considering donating or giving equipment away, Fixed Assets should be contacted prior to doing so.
Whenever equipment is transferred from one department to another or moved to a substantially different physical location, but stays within the same department, the transferring department should contact Fixed Assets and provide the updated information. This information will allow their office to accurately track equipment locations and responsible cost centers while improving the overall accuracy of departmental equipment inventories.
If equipment is taken off campus on a long-term basis, Fixed Assets should be notified. See the Request to Take Equipment Off Campus form that should be used for equipment taken off campus on a long-term basis. If equipment is taken off campus on a short-term basis, the department should require employees to complete a sign-out sheet. This provides written support for the location of the equipment.
back to top
All fees should be approved through the Budget and Planning
office and collected by Student Account Services and University Billing Office.
back to top
Development and Alumni Relations
should be notified when monetary gifts are received. Upon receipt of non-monetary gifts,
you must contact your college development officer or work directly with Development and Alumni Relations at extension 1012.
back to top
An Independent Contractor Questionnaire
must be completed and submitted to Employment and Compensation/HR before the service of an individual (i.e., sole proprietor) is considered for hiring as an independent contractor. It must be completed even in those cases where payment is to be made to a business name rather than to the individual. If it is determined that the individual qualifies as an independent contractor, then the department will receive a copy of an independent contractor agreement which should be completed, signed by an individual with contracting authority and submitted along with the copy of the questionnaire to Payable Accounting at the time payment is to be processed. The independent contractor information is available on the Contracting & Purchasing Services website.
If it is determined that the individual should be processed as an employee rather than an independent contractor, then the necessary employment appointment forms should be processed through the normal channels. For additional information, see forms
on the Employment and Compensation/HR
web site. If the services are being provided by a business (a corporation or partnership), the normal procurement policies should be followed.
back to top
Unless an authorization log
is completed, only the cardholder is authorized to make purchases with a university CMU Business Card.
The university has a policy regarding what can be purchased with the university CMU Business Card. See here for more information.
Per the Office of the Controller cardholder guidelines, CMU Business Cards should be handled the same way one would handle cash. Therefore, the cards should be kept in a secure location (e.g., carried by the cardholder, or in a locked desk, cabinet, or safe).
Supporting documentation for CMU Business Card transactions must be kept for three years per the CMU Business Card agreement. Internal Audit suggests attaching the supporting documentation to the monthly statement for filing. This documentation should include credit card receipts that contain a descriptive itemization of items purchased, amounts, price and vendor.
For additional information, contact the Office of the Controller or visit their website section Credit Card.
back to top
Ideally, the department's accounts should be reconciled within two weeks from the
month-end close dates
. It is important that the accounts be reconciled to ensure that they accurately include authorized transactions. Each transaction, other than payroll and mailroom, should be supported by documentation. The payroll and mailroom entries should be reviewed for reasonableness. Reconciling the department's accounts provides a good internal control environment.
In addition to identifying unauthorized transactions, the reconciliation should include identification of transactions initiated by the department but not yet posted on the general ledger. Financial information should be adjusted to reflect pending transactions identified, thereby providing up-to-date financial information to be used in the monitoring of the availability of funds.
After completing the reconciliation, the statements along with the supporting documentation should be given to a second person for review. This review should be completed within a month. After the review, it is a good practice to initial the statements and file them with supporting documentation. For more information on the reconciliation process, see Suggestions for Expenditure Approval.
Suggestions for Expenditure Approval and Reconciliation
- The department should establish policies for approval of expenditures. For instance, in some departments the chair or director will approve all purchase requisitions and invoice vouchers. In others, two levels of approval may be established; i.e., the assistant director can approve expenditures up to a certain amount but the director must approve anything over that amount.
- the person who approves expenditures must have the authority to do so and the necessary knowledge to make informed decisions.
- The department should establish segregation of duties, so that the same person who is authorized to approve expenditures is not also responsible for reconciling the department's accounts unless a second person reviews the reconciliation.
- Detailed supporting documentation for all expenditures should be kept by the department and used to reconcile the expenditures recorded in the accounts.
- The reconciliations of the accounts should be reviewed by the person who is responsible and accountable for the account (usually the department head).
- Reconciliations should be performed within two weeks from the month-end closing date so that any errors can be more easily investigated and corrected.
- Employee reimbursement forms must be approved by someone who is administratively senior to the employee.
- Specific guidelines for the use and record keeping associated with CMU business cards are available from Travel Services.
back to top
The university has an official record retention schedule.
A copy can be downloaded from the Office of Information Technology's Website. A department can submit changes to the Office of Information Technology at any time.
back to top
Review Mailroom, Phone, Fax, and Copier Usage
Mailroom, phone, fax, and copier charges should be reviewed for reasonableness. Personal use of any university resources should be reimbursed.
All scholarships should be established through the Scholarships and Financial Aid Office. The scholarship accounts should be monitored by the department.
back to top
should be informed of any security system installed on campus. Keys or codes should be given only to those employees who need them to perform their job responsibilities. However, at least two people (one serving as backup) should have the keys or codes. If an employee who knows the code or has a key to the security system leaves the employ of the department, the code should be changed or the key returned.
back to top
Segregation of Duties
Though more difficult to accomplish in small departments, segregation of duties is possible in any office containing two or more people. Departments should review revenue, payroll, expenditure, and credit card processing to ensure adequate controls are in place. The following is a list of ideal processes that would provide adequate controls.
- Revenue Processing: One person receives the revenue and creates payment documentation (receipt, receipt log, copy of check). A second person prepares the deposit and reconciles the amounts to the account during the monthly reconciliation. A receipt from the Student Account Services and University Billing Office is given back to the first person who uses it to compare to the payment documentation. The second person reconciles the amount collected to what should have been collected. For more information see Suggestions for Cash Receipts.
back to top
- Payroll Processing: One person prepares the timesheets and gives them to a second person to approve. The timesheets are delivered to Payroll. The second person reviews the monthly account reconciliation for reasonableness. For more information, see Suggestions for Expenditure Approval and Reconciliation.
back to top
- Expenditure Processing: For the best internal controls, one person approves the expenditures while a second person receives the deliveries and performs the account reconciliation. The first person reviews the reconciled account with the supporting documentation. One person could have authority to approve expenditures, receive deliveries, and reconcile the accounts as long as a second person reviews the statements and supporting documentation. For more information concerning the expenditure process, see Suggestions for Expenditure Approval and Reconciliation.
back to top
- Credit Card Processing: The cardholder reconciles the monthly credit card statement to the supporting documentation. Someone other than the cardholder should review the reconciled statement with the supporting documentation.
back to top
Most purchased software programs used at the university are copyrighted and/or patented. These copyrights and patents prohibit the university or its employees from making duplicates of the software and may also restrict the use of the software program to a particular machine. As users and/or purchasers of software packages, departments have the responsibility to be aware of the various agreements pertaining to each. Making illegal copies of licensed software may result in an individual and/or the university being held liable.
A good rule of thumb regarding software purchased is to assume the software:
- is not to be copied except for making a back-up
- is designated for use with only one PC/Laptop at a time and is not to be used by multiple users on a local area network.
- is not normally maintained and updated by the vendor unless departments have paid an annual maintenance/support fee or paid for an updated version.
If you do copy software for a back-up, the manufacturer's copyright notice should be placed on all copies or portions of the software reproduced.
back to top
back to top
Transfer of Funds
Transfer of funds should be done according to procedures located at the Accounting Services
website. The department requesting the transfer is responsible for forwarding a copy of the e-mail message or memo to departments that are affected by the transfer.
back to top
must be approved by someone administratively senior to the individual seeking reimbursement. It is a good practice to have travel approved prior to the travel occurring in order to provide proper authorization over travel expenditures. For more information, contact the Travel Clerk in Payroll or visit the Travel section on the Controller's web page.
back to top