Prioritize Areas of Improvement
During engagements, we compare a department's transactions and processes to:
- Columbia policies
- Best practices as defined by professional organizations, industry standards, and other relevant sources
These benchmarks allow us to evaluate operations in terms of compliance, effectiveness, and efficiency. In doing so, we have noted there are areas in which departments frequently need to strengthen controls.
Below are some examples of common areas that need improvement.
Annual performance appraisals are a tool of communication between employees and supervisors. They provide employees with feedback on the job they've been doing, serve as an opportunity for supervisors to make clear their expectations of their employees, and allow employees and supervisors to discuss strengths, weaknesses, and goals for the coming year.
Written performance appraisals provide a record of progress which may support later disciplinary or laudatory actions. All employees are entitled to know "how they're doing", and the written performance appraisal is a way to formally communicate this.
We often find that units are not performing periodic network vulnerability scans on the workstations, servers, and printers or periodic vulnerability scans for the applications they are responsible for.
Most operating systems have vulnerabilities that expose them to attacks. An attacker could exploit these vulnerabilities and disrupt or damage systems and gain access to confidential information, which could lead to fines penalties and damage Columbia’s reputation. Regularly scanning workstations, servers, printers, and applications for vulnerabilities and taking adequate steps to understand and correct them helps to ensure that systems are protected from such attacks.
Segregation of duties is an internal control intended to prevent or decrease the occurrence of innocent errors or intentional fraud. This is done by ensuring that no single individual has control over all phases of a transaction.
There are four general categories of duties: authorization, custody, record keeping and reconciliation. In an ideal system, different employees perform each of these four major functions. In other words, no one person has control of two or more of these responsibilities. The more negotiable the asset, the greater the need for proper segregation of duties—especially when dealing with cash, negotiable checks, and inventories.
We often think of cash handling as the place where segregation of duties is most important because cash is a highly liquid asset. This means that it is easy to take money and spend it without leaving a trail of where it went. Any department that accepts funds, has access to accounting records, or has control over any type of asset should be concerned with segregation of duties.
Some examples of incompatible duties are:
- Authorizing a transaction, receiving and maintaining custody of the asset that resulted from the transaction
- Receiving checks (payment on account) and approving write-offs
- Depositing cash and reconciling bank statements
- Approving time cards and having custody of paychecks
Separation of duties will only limit problems stemming from incompatible duties. It is possible, though not likely, that collusion will occur, making control procedures ineffective. Management needs to be aware of relationships (family and friends) and be alert to the possibility of collusion.
Also, in a small operation, it is not always possible to have enough staff to properly segregate duties. In those cases, management may need to take a more active role to achieve separation of duties, by checking the work done by others. Sometimes, the knowledge that records will be checked by others is enough to prevent misappropriation of assets.
Cash is a highly liquid asset, meaning that it can easily be misappropriated. For this reason, it is important to have strong controls over cash operations.
Cash should be physically secured with limited access to registers, safes and cash boxes. Deposits should be made timely, before large amounts of cash accumulate. Petty cash accounts should be reconciled regularly. Surprise cash counts should be made in any operation handling large amounts of cash.
Supervisors Not Approving Time Worked
Columbia has online approval for time worked by hourly employees. The person who approves an employee's timecard should be the person familiar with the employee's work and the hours the employee works, most often the employee's supervisor. In those cases where it is not possible for the supervisor to approve an employee's time online, the supervisor should document his or her approval in writing. Should a question come up later about a timecard, this gives an additional measure of certainty regarding the time recorded by the employee, as well as written evidence that the supervisor knew the employee worked those hours, and was approved to work those hours.
Inadequate Review of Transactions Before Approval
The effectiveness of internal controls are limited to the extent that decisions are made with judgment, in the available time, based on information on hand, and under pressure to conduct business. Internal controls can break down when authorizers do not review the forms they must sign, such as accounts payable vouchers, reconciliations and time cards.
Lack of Certification and Review of Accrued Leave Balances
Certification and confirmation of accrued leave balances is essential to ensure accurate records are maintained. Requiring employees to regularly certify their leave balances and requiring the employee's supervisor to review and approve these certifications provides a strong control over the tracking of leave balances and reduces the possibility of errors or abuse of university leave benefits. Certification and supervisory review and approval also reduce the likelihood of disputes between the employee and the university at the time of separation from the university.
Lack of Supervisor Review of Travel
The purpose of University Travel Expense Policy, is to ensure that travel charged to university accounts is for legitimate business purposes. Failure to comply with this policy increases the risk of loss due to errors and irregularities. This policy states that the "DAF review, sign, and date the report.” This review must be performed by the traveler's supervisor as they are likely to be in the best position to assess the legitimacy of the business purpose for travel. Supervisory review can take many forms, such as pre-transaction review or a periodic scan of transactions with detailed review of unusual or questionable items. Delegation of this responsibility should only be on a short term, emergency basis.
Lack of documented business purpose of travel and other business expenses is an audit concern that arises regularly.
The university receives, from a variety of sources, funds that carry with them fiduciary responsibilities. These responsibilities require that funds only be used for ordinary, reasonable, and actual business-related expenses incurred in furtherance of the university's missions. When university community members fail to provide supporting documentation evidencing business purpose of expenses, as required for internal and external reviewers, it can result in inappropriate charges going undetected. Evidence of lack of documented business purpose or failure to detect inappropriate charges could lead to fines, penalties, and a loss of the public trust which could have a serious impact on future funding.
University policies were established to help ensure that Columbia is in compliance with regulations and to allow for accurate and efficient operations within Columbia. Compliance with these policies are important.
Visit the University Policies website to find relevant Finance policies.
The University's bidding procedures were established to ensure that the University receives competitive pricing on goods and services. It also ensures that purchases are not subject to favoritism and can protect against fraud in the purchasing process. In addition, individuals who use State and Federal funds to purchase items may be required, as a condition of accepting those funds, to bid out their purchases.
Often we find that employees who have left the university or who have transferred to another department still have access to computer systems. Unauthorized access to records is the biggest risk here, but the existence of this condition highlights a larger issue, the lack of procedure -- or the ineffectiveness of the existing procedure -- when employees are hired or leave the department. To deal with the computer access problem, departments could use a checklist of access to computer systems to be given to new hires, and use the same list to remove access when the employee leaves.
An employee may change positions within the department, requiring access to departmental systems that weren't necessary at his or her initial hire date, or new systems may be implemented. For this reason, it is wise to periodically check who has access to your computer systems. Does your department have a procedure in place to do this?