EIU Department of Office of Internal Auditing

Basic Internal Control Assessment

The basic internal control assessment will assist department chairs and directors with assessing their compliance with good internal controls and the university's policies. The assessment should be completed annually. Please utilize the information below to assist you in completing the assessment and maintain a copy of the assessment for your records. It does not need to be sent to Internal Auditing.

• Basic Internal Control Assessment

Basic Internal Control Assessment Explanations

Organizational

1. The department has an organizational chart.
• An organizational chart is a visual representation of all personnel within a department. The chart shows the working relationship between supervisors and staff and the lines of authority.
2. The department has a statement of mission and objective.
• A mission statement provides a sense of direction for the department. It includes the department’s goals and guides decision making.
3. The department has current departmental policies and procedures, and employee manuals, as applicable.
• Policies and procedures and employee manuals allow management to guide operations of the department. These aid in employees’ understanding of their responsibilities and the transfer of knowledge as staff turns over. It is important that employees have access to the policies and procedures.

General

1. Fiscal agents are familiar with the Board of Trustees regulations and the university internal governing policies (IGPs).
• The regulations and internal governing policies are general statements of policy or procedure adopted by the board or university concerning the conduct and operation of the university. Familiarity with regulations and policies is an important internal control that ensures appropriate use and safeguarding of university resources.
2. The department has a current website on the university website.
• A website communicates to the general public and the campus community about the department’s services and contact information. Websites should be maintained and updated on a periodic basis.
3. The department maintains current social media sites and has provided login information to Marketing and Creative Services.
• Social media sites communicate to the general public and the campus community about the department’s services and events. These sites should be maintained and updated on a periodic basis. Login information should be provided to Marketing and Creative Services to ensure continued access due to employee turnover or similar issues.
4. The department maintains its records in accordance with the university's record retention requirements.
• Each department has a records retention schedule approved by the State Records Commission. Records cannot be disposed of without the Commission’s approval. See IGP #136 – Records Management Program.
5. Department personnel who handle social security numbers undergo Identity Protection Act training on an annual basis.
• The State’s Identity Protection Act controls the collection, use and disclosure of social security numbers by university employees, including student workers. Individuals must undergo annual training regarding the proper methods for collecting, using and/or disclosing social security numbers. See IGP #133.2 – Social Security Numbers.

Accounting

1. Documentation (hard copy/electronic file) exists to support timely reconciliation of departmental accounts on a consistent basis.
• Reconciling an account proves the transactions comprising the account balance are correct. A spreadsheet or similar reconciliation should be maintained for each department org. The purpose of the reconciliation is to track transactions as they occur and match them to transactions recorded on the Argos monthly detail reports. This will enable the department to quickly identify any questionable transactions posted to the org and to take corrective action to ensure accurate financial condition of the department. Authorization, recording and reconciling of transactions should be segregated duties.
2. Documentation also exists to support that reconciliations are reviewed in a timely manner by the appropriate department head and/or signature authority.
• Account managers are responsible for knowledge of established internal controls, for operating their units in accordance with university policies and procedures, for periodic reviews of their budgets, and for operating their units within the budgets provided. Review of the reconciliation is a crucial internal control.

Cash Receipting/Handling

1. Documentation (hard copy/electronic file) exists to support that cash receipts/deposits are reconciled to Banner.
• Documentation is important because it provides supporting evidence that deposits have been reviewed for accuracy.
2. Duties related to receipting, depositing and reconciliation of funds are adequately separated.
• Cash is the asset most susceptible to loss. All departments responsible for collecting cash, checks and credit card payments should ensure timely deposit, safeguarding of funds prior to deposit, proper segregation of duties in the handling process, and regular reconciliation to ensure all funds have been deposited accurately. The employee who receives the funds should prepare a daily log of incoming cash and checks. A second individual should compare the daily logs and cash receipt book to the amount deposited.
3. Checks are restrictively endorsed “For Deposit Only, Eastern Illinois University” upon receipt.
• Placing a restrictive endorsement on a check or money order immediately upon receipt is crucial to reducing the risk of fraud.
4. A pre-numbered receipt, cash log or register tape is used to document cash received.
• Receipts should be pre-numbered to ensure all transactions are recorded and accounted for.
5. Funds are adequately safeguarded until deposited with the Cashier’s Office and are deposited within the proper timeframe.
• Cash and checks should be stored in a secure location with access limited to a few individuals. Deposits to the Business Office should be made no later than the next business day or if less than $50, then weekly. See IGP #102 – University Accounts.
6. Petty cash or change funds (if used by the department) are properly established.
• Petty cash and change funds may be established with the approval of the university treasurer. See IGP #100 – Petty Cash and Change Funds.
7. Petty cash and change funds are periodically counted by someone other than the custodian to ensure the full amount is accounted for.
• Periodic cash counts are an important internal control. Verification of cash balances must be performed in the presence of the custodian. Quarterly cash counts are recommended.
8. The department does not have an external bank account.
• Revenues generated or funds received by a department should be deposited into the appropriate university org through the Business Office.
9. Proper procedures are in place to ensure sales tax is collected and reported accurately and timely for taxable events/goods.
• Retail sales must comply with applicable state statutes, including the collection of sales tax. See IGP #170 – Retail Sales on University Property.
10. The department does not retain payers’ credit card information or other personal data.
• The university must implement an information security program related to personally identifiable financial information of a customer of the university. See IGP #133.1 – Safeguarding Consumer Information.
11. Charges for services to other departments are sufficiently documented, justified, and properly approved.
• Many departments on campus provide services to other departments. All charges must be documented and approved appropriately.
12. All departmental fees or charges assessed to students have been properly approved.
• Fees and charges to students must be approved by either the Board of Trustees or university president.

Property Control

1. The department adequately controls equipment inventory (i.e. takes an annual inventory and reports any discrepancies).
• State and university policies require an annual physical inventory of all state-owned property in the university’s possession. See IGP #163 – University Personal Property Control.
2. The department maintains a listing of blue-tagged inventory items (those items costing $100.01 - $999.99).
• The State Property Control Act requires all university-owned property to display identification. See IGP #163 – University Personal Property Control.
3. Individuals removing equipment from the premises have completed a Temporary Removal of Property Request.
• Employees may not remove equipment from campus without proper approvals from the account manager and dean/director. Long-term removals require approval by the Vice President for Business Affairs. See IGP #163 – University Personal Property Control.

Procurement and Travel

1. The department has reviewed the purchasing guidelines.
• See IGP #108 – Purchasing.
2. P-cards are stored in a secure location while not in use.
• Each cardholder is responsible for his/her card and to secure it when not in use. Storing the card in a wallet increases the risk the card may be stolen or accidentally used for non-business purposes.
3. Department employees have reviewed the procurement card policies and procedures.
• All p-card approvers and cardholders should review the procurement card policies and procedures. See https://www.eiu.edu/purchasing/pcard.php.
4. Reimbursements to department personnel are properly authorized and sufficiently documented.
• Requests for reimbursements should include original backup documentation and approval by someone other than the payee.
5. Department personnel are aware of the prohibition against purchasing goods and/or services from university employees and their immediate family.
• The p-card cannot be used to make a purchase from any State of Illinois employee, or any State of Illinois employee who owns more than seven and one half percent (7½%), or together with a spouse or minor child more than fifteen percent (15%), of the total distributable income of the business enterprise.
6. If the department's operations require the purchase of food, departmental personnel are aware of the policies and procedures pertaining to food purchases.
• Permission to purchase food must be approved prior to the purchase. See IGP #113 – Business Expense Reimbursement for Food Purchases.
7. If the department's operations require certain entertainment expenses, departmental personnel are aware of the hospitality policies and procedures.
• See IGP #114 – Business Expenses.
8. If the department's operations require technology purchases, departmental personnel are aware of the policies and procedures pertaining to technology purchases.
• See IGP #103 – Computers, Servers, and Software.
9. All personnel that travel on university business prepare the necessary permission to travel documents (Travel Application) and retain original receipts for reimbursement with the Travel Voucher.
• Permission to travel must be approved prior to departure. Travelers must submit original receipts for reimbursement. See IGP #111 – Travel.
10. Employees are aware that travel expenses which are reimbursed by a third party are not eligible for reimbursement by the university.
• Receiving reimbursement from the university for expenses reimbursed by a third party is fraudulent and prohibited.

Human Resources and Payroll

1. The department maintains adequate controls over tracking and record keeping for accrued leave and sick leave used by employees.
• Departments should maintain a system for tracking leave utilized during the payroll period. The information should be reconciled to leave reported on timesheets and leave reports.
2. Timesheets and leave reports are reviewed and approved by persons who have personal knowledge of the time worked by each employee.
• To ensure accountability and accuracy, timesheets and leave reports should be approved by supervisors.
3. Each employee in the department is aware of the State's ethics law and the university's policies regarding supplementary and outside employment.
• See IGP #22 – Supplementary Personal Services.
4. If employing students, departmental personnel have reviewed the student employment policies and procedures.
• See IGP #71 – Student Employment Policy.
5. The department maintains a daily log of all hours worked by student employees.
• A daily time record must be maintained on each student employee. This daily record should be carefully kept and monitored by the student employee supervisor.
6. Annual performance evaluations are conducted for all civil service employees and/or performance evaluations for A&P employees are conducted according to length of employment and results are submitted through proper channels.
• All employees must undergo periodic performance evaluations. See IGP #31 – Performance Evaluation of Administrative Staff and IGP #39 – Civil Service Performance Appraisal.

Technology and Telecommunications

1. Department staff has read and understands the acceptable use policy for computers.
• See IGP #129 – Use of Technology Resources by Employees for acceptable use of university computers and related equipment.
2. Department staff is familiar with ITS' website which offers information and resources about information security (phishing, social engineering, mobile security, etc.) and allows users to report information security incidents.
• Fraud and theft via information technology continues to grow. Employees should familiarize themselves with best practices to identify and avoid possible compromising situations. Incidents, including suspicious emails, should be reported to support@eiu.edu or phishing@eiu.edu.
3. The department is aware of the procedures to surplus old computers/devices and remove them off of the department's inventory.
• Employees are expected to follow the prescribed process for decommissioning devices. See IGP #103 – Computers, Servers and Software.
4. Telecommunications charges not allowed by university policies are billed back to the responsible employee.
• Telephone usage is established in accordance with State policies. See IGP # 101 – Telephone Usage.
5. Department personnel review the monthly telecommunications statement for telecommunication charges.
• Monitoring long distance charges reduces the risk of unauthorized individual use.

Grants

1. All proposals for outside grants are submitted through the Office of Research and Sponsored Programs.
• See IGP #57 – Grants and Contracts Proposal Approval.
2. Financial reports for grants that are prepared by the department are reviewed by the Business Office before they are released to any party outside the university.
• See IGP #57 – Grants and Contracts Proposal Approval.