Quick Reference Guide

​Internal Audit has documented the following miscellaneous procedures as a quick reference for departments. They represent university policies or best practices that Internal Audit believes will create good internal controls. This is not an all-inclusive list of all university procedures and, at any time, these procedures may change. Current policies and procedures can be found on the following websites: The Office of the Controller (https://www.cmich.edu/fas/fsr/OAC/Pages/default.aspx) Human Resources ( https://www.cmich.edu/fas/hr/Pages/default.aspx), Purchasing Services ( www.purchasing.cmich.edu), and General Counsel ( www.cmich.edu/office_president/general_counsel). If more detail is needed, contact the department listed or Internal Audit at extension 7082.

 ​

Back Up Critical Information

To provide adequate safeguarding of critical information, Internal Audit recommends that critical computer files be backed upon a periodic basis. The importance of the information and the amount of time needed to recreate the information should be considered when determining how often to back up computer files. The back-up disks or tapes should be stored off-site. Internal Audit also recommends that departments contact the Office of Information Technology to discuss the latest software options used on campus for automatic backup through SMS (System Management Server).
 

back to top

Departments should contact Payable Accounting to obtain appropriate change fund authorization.  Once a change fund is established, a supervisor should periodically perform surprise cash counts to ensure the balance in the fund is always maintained. 
 

Check and Cash Handling


Though it is ideal to have revenue processed through the Student Account Services and University Billing, departments occasionally receive cash and checks directly from the payee. When this occurs, the following should be considered:
  1. Endorse checks immediately upon receipt. A proper endorsement includes "Central Michigan University" and "For Deposit Only" on the back of the check.
  2. Keep a cash receipts journal, a duplicate receipt copy or another suitable record when accepting payments.
  3. Retain cash receipts documentation in accordance with the records retention rules.
  4. Money collected should be kept in a secure location, such as a locked filing cabinet, locked box or safe. Keys or combinations should only be given to those employees that need them to perform their job responsibilities. Preferably, only two people (one serving as a backup) should have access to the keys or know the combinations. If an employee who has access to one of these devices leaves the employ of the department, keys should be returned and any combinations should be changed.
  5. If large sums of money are collected, deposits should be made frequently. Departments need to determine what amount they would be willing to put at risk when determining when a deposit should be made.
  6. The safety of employees who deliver deposits should be considered.
​​Suggestions for Cash Receipts

The department should establish written policies and procedures for processing cash receipts.

Internal control is a process effected by a college or university's governing board, administration, faculty and staff designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Cash receipts must be processed through Student Account Services and University Billing.
  • Checks received by the department should be listed by a person independent of any further processing of the check (see next item). This same person should immediately restrictively endorse the check "Central Michigan University" and "For deposit only" on the back of the check.
  • The department should establish a segregation of duties, so that the same person does not receive the cash/check, prepare the deposit for Student Account Services and University Billing and reconcile the deposit prepared for Student Account Services and University Billing to the account during the monthly reconciliation.
  • Cash and checks received by the department should be deposited with Student Account Services and University Billing as soon as possible (preferably daily, depending on the volume of receipts).
  • While in the department, cash and checks should be securely locked and access limited.
  • If money collected is from the sale of taxable items, the department should calculate the amount of tax and deposit that amount into a separate sales tax account.
  • Cash short/over amounts should be monitored.
back to top

Compensatory Time


If a department allows employees to work overtime and the employee elects the option of compensatory time, the actual hours of overtime worked should be recorded as compensatory time on the timesheet. This will be calculated at 1.5 times the hours reported. Contact the Payroll office with specific questions.
 
 
 
A significant amount of money is spent each year on computer equipment. Departments rely heavily on information created, processed and stored on computers. Consequently, departments should implement good computer and password controls. See Suggestions for Computer Security and Suggestions for Password Security below for more information.

 Suggestions for Computer Security
 
  • Physical access to computers and disks should be limited as much as possible to protect against accidental damage and theft.
  • Logical  access should be limited to those users who need access to perform job responsibilities.
  • Sufficient access controls, such as passwords, should be in place to ensure that employees using a computer are able to maintain the security of the information. Passwords should be at least 8 total characters with at least 1 uppercase alphabetic character, 1 lowercase alphabetic character, and 1 special character or number.  They should be changed on a periodic basis or when a user leaves the department.  See Suggestions for Password Security for further information.
  • Computers logged on should not be left unattended.
  • BIOS passwords (start up passwords that enable a computer to boot up), screen savers with passwords, and locking your computer or workstations when you are away from it are all great ways to prevent and deter unauthorized access to your computer or workstations.
  • The department should back up critical files on a regular and timely basis.  The back-up disks or tapes should be housed off-site.  Contact the Office of Information Technology for additional information on daily backups of computer workstations.
  • For continuity of operations, departments should document the computer processes and logic of critical functions, such as databases or worksheets.
  • Unauthorized copying, storage or use of any software in violation of the software licensing agreement should be prohibited.
  • To help guard against viruses, virus protection software should be continually used and updated weekly.  This is available through the Office of Information Technology.  Also, software should not be obtained from unknown or unreliable sources.
  • Always use caution when opening email attachments.  This is a favorite mechanism used for transmitting viruses.  If an attachment has the extension .exe, .scr, .pif, .vbs, .bat, .zip, or a double extension such as .txt.doc, it is most likely a virus.
  • Always remember that any confidential information (HIPAA, FERPA, GLB, etc.) is subject to additional security regulations.
Departments with servers or networks should identify a system administrator to coordinate these security considerations.
 
Decisions about the level of security should consider the value of the data being processed, the expense related to securing it, and the potential loss (both effort and dollars) if a security measure is not implemented.
 
Suggestions for Password Security
 

The following should be considered when choosing passwords:

  • should be easy to remember
  • should be difficult to guess
  • should not be of a fixed length but rather, at least six (6) characters long.
  • should be made up of letters, numbers, and special characters. Also try to mix upper case and lower case letters. This multiplies the number of different possible combinations.
  • should not be displayed when inputted
  • should be changed periodically by the user
  • should be forced to change by the system administrator
  • should not be dictionary words, either forwards or backwards
  • the degree of password complexity should be greater than the data at risk
  • should not be shared with anyone or used as a group of users "generic" password
  • should not be posted or written down in an unsecured location (i.e. desk drawers)
  • should be immediately changed if you suspect it was compromised
  • should not be known by a supervisor or other staff
  • should not be the same as your user ID
  • should not be names of your pets or children, phone numbers, or street addresses (or any personal information)​

Computer Virus Protection Software


New computer viruses are being created at an alarming rate per month. Consequently, Internal Audit recommends that computer virus protection software be used continuously and updated on a weekly (at the minimum) basis. Contact the Office of Information Technology with specific questions.

back to top

Contracting Authority


Anyone signing contracts must have the proper authority. The Office of the Vice President of Finance and Administrative Services maintains a list of all individuals who have been delegated the authority to sign contracts on the university's behalf. The list can be viewed on the Purchasing Services web site. For more information, contact the Finance and Administrative Services office.
 

 

Equipment


Capitalized Equipment (all tangible, non-expendable property, having a useful life of more than one year and a value of $5,000 or more) and Non-Capitalized Equipment (tagged with a purchase price of $1,000-$5,000 OR technology related) should be verified annually. Typical "technology" related items include cameras, digital cameras, stereos, audio visual equipment, televisions, VCRs, DVDs, printers, computers, electronics, and digital media equipment. These items are tagged with university property identification tags to deter theft and provide a basis for university departments to conduct equipment inventory.

Fixed Assets should be notified of any assets that have been scrapped, stolen, sold, traded in, loaned out for an extended period, or transferred. If any equipment is delivered directly to the department, Assets should be notified so that the equipment can be tagged and added to the inventory list. Any unused or obsolete equipment should be given to Assets. If a department is considering donating or giving equipment away, Fixed Assets should be contacted prior to doing so.

Whenever equipment is transferred from one department to another or moved to a substantially different physical location, but stays within the same department, the transferring department should contact Fixed Assets and provide the updated information. This information will allow their office to accurately track equipment locations and responsible cost centers while improving the overall accuracy of departmental equipment inventories.

If equipment is taken off campus on a long-term basis, Fixed Assets should be notified. See the Request to Take Equipment Off Campus form that should be used for equipment taken off campus on a long-term basis. If equipment is taken off campus on a short-term basis, the department should require employees to complete a sign-out sheet. This provides written support for the location of the equipment.

 

back to top

Fees

All fees should be approved through the Budget and Planning office and collected by Student Account Services and University Billing Office.
 

back to top

Gifts

Development and Alumni Relations should be notified when monetary gifts are received. Upon receipt of non-monetary gifts, you must contact your college development officer or work directly with Development and Alumni Relations at extension 1012.
 

back to top 

Independent Contractor

An Independent Contractor Questionnaire must be completed and submitted to Employment and Compensation/HR before the service of an individual (i.e., sole proprietor) is considered for hiring as an independent contractor. It must be completed even in those cases where payment is to be made to a business name rather than to the individual. If it is determined that the individual qualifies as an independent contractor, then the department will receive a copy of an independent contractor agreement which should be completed, signed by an individual with contracting authority and submitted along with the copy of the questionnaire to Payable Accounting at the time payment is to be processed. The independent contractor information is available on the Contracting & Purchasing Services website. If it is determined that the individual should be processed as an employee rather than an independent contractor, then the necessary employment appointment forms should be processed through the normal channels. For additional information, see forms on the Employment and Compensation/HR web site. If the services are being provided by a business (a corporation or partnership), the normal procurement policies should be followed.
 

back to top

CMU Business Card 

Unless an authorization log is completed, only the cardholder is authorized to make purchases with a university CMU Business Card.
 

The university has a policy regarding what can be purchased with the university CMU Business Card. See here for more information.

Per the Office of the Controller cardholder guidelines, CMU Business Cards should be handled the same way one would handle cash. Therefore, the cards should be kept in a secure location (e.g., carried by the cardholder, or in a locked desk, cabinet, or safe).

Supporting documentation for CMU Business Card transactions must be kept for three years per the CMU Business Card agreement. Internal Audit suggests attaching the supporting documentation to the monthly statement for filing. This documentation should include credit card receipts that contain a descriptive itemization of items purchased, amounts, price and vendor.

For additional information, contact the Office of the Controller or visit their website section Credit Card.

back to top

Reconciling the Department's Accounts

Ideally, the department's accounts should be reconciled within two weeks from the
month-end close dates. It is important that the accounts be reconciled to ensure that they accurately include authorized transactions. Each transaction, other than payroll and mailroom, should be supported by documentation. The payroll and mailroom entries should be reviewed for reasonableness. Reconciling the department's accounts provides a good internal control environment.
 

In addition to identifying unauthorized transactions, the reconciliation should include identification of transactions initiated by the department but not yet posted on the general ledger. Financial information should be adjusted to reflect pending transactions identified, thereby providing up-to-date financial information to be used in the monitoring of the availability of funds.

After completing the reconciliation, the statements along with the supporting documentation should be given to a second person for review. This review should be completed within a month. After the review, it is a good practice to initial the statements and file them with supporting documentation. For more information on the reconciliation process, see Suggestions for Expenditure Approval.

Suggestions for Expenditure Approval and Reconciliation

  • The department should establish policies for approval of expenditures.  For instance, in some departments the chair or director will approve all purchase requisitions and invoice vouchers.  In others, two levels of approval may be established; i.e., the assistant director can approve expenditures up to a certain amount but the director must approve anything over that amount.
  • the person who approves expenditures must have the authority to do so and the necessary knowledge to make informed decisions.
  • The department should establish segregation of duties, so that the same person who is authorized to approve expenditures is not also responsible for reconciling the department's accounts unless a second person reviews the reconciliation.
  • Detailed supporting documentation for all expenditures should be kept by the department and used to reconcile the expenditures recorded in the accounts.
  • The reconciliations of the accounts should be reviewed by the person who is responsible and  accountable for the account (usually the department head).
  • Reconciliations should be performed within two weeks from the month-end closing date so that any errors can be more easily investigated and corrected.
  • Employee reimbursement forms must be approved by someone who is administratively senior to the employee.
  • Specific guidelines for the use and record keeping associated with CMU business cards are available from Travel Services.

back to top

Record Retention 

The university has an official record retention schedule. A copy can be downloaded from the Office of Information Technology's Website. A department can submit changes to the Office of Information Technology at any time.
 

back to top

Review Mailroom, Phone, Fax, and Copier Usage 
Mailroom, phone, fax, and copier charges should be reviewed for reasonableness. Personal use of any university resources should be reimbursed.

All scholarships should be established through the Scholarships and Financial Aid Office. The scholarship accounts should be monitored by the department.

back to top

Security Systems 

CMU Police should be informed of any security system installed on campus. Keys or codes should be given only to those employees who need them to perform their job responsibilities. However, at least two people (one serving as backup) should have the keys or codes. If an employee who knows the code or has a key to the security system leaves the employ of the department, the code should be changed or the key returned.
 

back to top

Segregation of Duties


Though more difficult to accomplish in small departments, segregation of duties is possible in any office containing two or more people. Departments should review revenue, payroll, expenditure, and credit card processing to ensure adequate controls are in place. The following is a list of ideal processes that would provide adequate controls.
 
  1. Revenue Processing: One person receives the revenue and creates payment documentation (receipt, receipt log, copy of check). A second person prepares the deposit and reconciles the amounts to the account during the monthly reconciliation. A receipt from the Student Account Services and University Billing Office is given back to the first person who uses it to compare to the payment documentation. The second person reconciles the amount collected to what should have been collected. For more information see Suggestions for Cash Receipts.

    back to top
  2. Payroll Processing: One person prepares the timesheets and gives them to a second person to approve. The timesheets are delivered to Payroll. The second person reviews the monthly account reconciliation for reasonableness. For more information, see Suggestions for Expenditure Approval and Reconciliation.

    back to top
  3. Expenditure Processing: For the best internal controls, one person approves the expenditures while a second person receives the deliveries and performs the account reconciliation. The first person reviews the reconciled account with the supporting documentation. One person could have authority to approve expenditures, receive deliveries, and reconcile the accounts as long as a second person reviews the statements and supporting documentation. For more information concerning the expenditure process, see Suggestions for Expenditure Approval and Reconciliation.

    back to top
  4. Credit Card Processing: The cardholder reconciles the monthly credit card statement to the supporting documentation. Someone other than the cardholder should review the reconciled statement with the supporting documentation.

back to top

Software Licenses


Most purchased software programs used at the university are copyrighted and/or patented. These copyrights and patents prohibit the university or its employees from making duplicates of the software and may also restrict the use of the software program to a particular machine. As users and/or purchasers of software packages, departments have the responsibility to be aware of the various agreements pertaining to each. Making illegal copies of licensed software may result in an individual and/or the university being held liable.
 

A good rule of thumb regarding software purchased is to assume the software:

 
  • is not to be copied except for making a back-up
  • is designated for use with only one PC/Laptop at a time and is not to be used by multiple users on a local area network.
  • is not normally maintained and updated by the vendor unless departments have paid an annual maintenance/support fee or paid for an updated version.
 

If you do copy software for a back-up, the manufacturer's copyright notice should be placed on all copies or portions of the software reproduced.

back to top

Staff Termination Checklist


Employment and Compensation/HR has created a Staff Termination Checklist and a Student Employment Termination Notice that should be completed by the supervisor and signed by the employee upon employee termination. Internal Audit suggests that the department complete the termination forms for all employees when employment has terminated. For staff employees, this form should be returned to Employment and Compensation/ HR Services (RW 109) and the student termination notices should be sent to Student Employment Services (UC 206)
 ​

back to top

Transfer of Funds


Transfer of funds should be done according to procedures located at the Accounting Services website. The department requesting the transfer is responsible for forwarding a copy of the e-mail message or memo to departments that are affected by the transfer.
 

back to top

 
Per university policy, all Employee Reimbursement Forms Per university policy, all
must be approved by someone administratively senior to the individual seeking reimbursement. It is a good practice to have travel approved prior to the travel occurring in order to provide proper authorization over travel expenditures. For more information, contact the Travel Clerk in Payroll or visit the Travel section on the Controller's web page.
 

back to top

Central Michigan University • 1200 S. Franklin St. • Mount Pleasant, Mich. 48859 • 989-774-4000