Controls can be either preventative or detective. Preventative controls are proactive in that they attempt to deter or prevent undesirable events from occurring. Detective controls provide evidence that an error or irregularity has occurred. While preventative controls are preferred, detective controls are critical to provide evidence that the preventive controls are functioning as intended. Basic control activities include:
Approvals, Authorization & Verification
Separation of Duties
Accuracy of Data Input
BUDGETARY/FINANCIAL CONTROL (Detective)
Basic Principle: Care should be taken to prepare reasonably accurate financial budgets and projections based on the most reliable data available. Actual financial activity should then be compared on a regular basis to budgeted and/or projected amounts to provide an early warning signal as to significant positive or negative variances. Some variances could indicate temporary or permanent changes in the particular business environment, which may warrant changing certain aspects of how business is conducted. Other (especially negative) variances could indicate that processing errors or fraudulent activities are occurring. A minimum variance threshold should be established for key financial indicators. Variances in excess of the threshold should be investigated. Examples would include:
- Unusually low expenses could be merely due to timing delays on the part of vendors, but could also be the result of internal coding errors or misplaced invoices that have yet to be paid.
- Unusually high expenses may be legitimate and may warrant adjusting the budget plan accordingly. They could also be the result of coding errors, unauthorized expenditures, or overcharges by vendors.
- Unusually low revenues may indicate a general downturn in business activity due to some external factor. However, it could also be the result of internal processing errors or misappropriation of receipts (especially cash) by employees.
- Unusually high revenues, which cannot be explained by increased business activity, could be the result of internal processing or coding errors.
- Higher than normal accounts receivable could be the result of higher sales activity, but could also be indicative of problems in collections or processing cash payments.
Basic Principle: Management review of reports, on-line activity, reconciliations and other information is an important control activity. Fiscal responsibility may be delegated to the administrative staff but ultimately is retained by Deans, Directors, Department Chairs and Principle Investigators who should at minimum:
- Review for consistency and reasonableness.
- Ensure reconciliations are timely and complete.
- Follow-up on any questionable items or problems detected.
Back to top
PROPER APPROVALS, AUTHORIZATION AND VERIFICATION (Preventative)
Basic Principle: The action of approving transactions should not be taken lightly. An approval indicates that the approver has reviewed the supporting documentation, ensured it is appropriate, accurate and in compliance with university policy and procedures. Thus, responsibility for a transaction comes along with an approval.
- Supporting documentation should be sufficient for the approver to fully understand what they are approving. Any unusual items should be questioned.
- Do not use rubber stamps, initialed approvals or share passwords.
- Do not pre-sign blank forms.
Basic Principle: Review approval levels to ensure they are commensurate with the nature and significance of the transaction. Persons approving transactions should have the authority and knowledge to make informed decisions to:
- Execute binding contracts.
- Approve purchase transactions.
- Approve personnel actions such as hiring new employees, terminations, promotions, and hours worked.
- Access confidential computerized or hard copy information relevant to their work responsibilities (“need-to-know” access).
Basic Principle: Authorization to pay suppliers/vendors (or to reimburse an employee) for business-related expenses (including those charged using a University assigned credit card) of an employee should always be obtained from a higher-level supervisor of that employee. This would include Department Heads, Directors, Vice-Presidents, Deans, etc. who ordinarily would have signatory authority over such transactions. No one should be allowed to approve such payments to him/herself or to suppliers and vendors for expenses they have personally incurred on behalf of the University. Examples of such transactions are as follows:
- Travel expenses.
- Procurement card purchases.
- Local business meals.
- Entertainment expenses.
Basic Principle: Authorization and access privileges must be modified or deleted, as appropriate, immediately upon the transfer or termination of employees in order to protect the integrity of the internal control system. Examples of actions to take upon transfer or termination of an employee are as follows:
- Return of keys to buildings, offices, and vehicles.
- Return of SU travel card and/or procurement card.
- Notification to SU ID Card Office relative to building access privileges.
- Notification to the Comptroller’s Office of change in signature authority.
- Deletion of computer access privileges.
Back to top
Basic Principle: The identity of all individuals involved in a process or transaction should be readily determinable to isolate responsibility for errors or irregularities. This is known as an audit trail and can take the form of signatures, initials, date/time stamps, computer login IDs, or other means of identification. The documents or computer records containing this information must be kept on file and available for examination for a reasonable time period in line with a record retention policy.
SEPARATION OF DUTIES (Preventative)
Basic Principle: No one person should be able to control a transaction or process from beginning to end without intervention or review by at least one other person. Specifically, no one person should initiate and authorize a transaction nor should one person record and reconcile transactions. This principle is not limited to financial activities alone (i.e. processing student grades). Involving two or more people to perform key responsibilities reduces the opportunity for misappropriation of funds or fraud. Examples include:
- Grade changes processed by the Registrar should be verified by the college recorder and/or the respective instructor
- Revenue processing – A single person should not handle cash and verify deposits. Ideally three people are needed to properly segregate duties, one person receives the revenue and creates a receipt, another person prepares the deposit and a third reconciles it to the general ledger monthly. If only 2 are available, the cashier can return the validated deposit slip to the first person to be compared to the receipts generated. If the receipts were for a payment on an account the deposit process should be seperated from posting the payment to the accounts receivable.
- Expenditure processing – One person should not process, approve and reconcile expenditures. At minimum, the approval and reconciliation duties should be segregated.
- Payroll processing – Ideally, one person should input time, another approve and a third reconcile. The person who adds new employees on payroll should not also enter and approve hours worked, distribute paychecks, and manage the departmental budget.
In all cases, independent post-transactional review or reconciliations by the person fiscally responsible for the budget should be performed to help achieve greater control.
Back to top
Basic Principle: Periodic comparisons of detail records should be made with an independently maintained control record. Examples:
- Monthly transaction reports are sent by the Comptroller’s Office summarizing the revenue, expense and encumbrance activity. In order to validate data integrity and accuracy, the budget manager of each account should reconcile the amounts to supporting documentation. (Revenue, expenses, procurement card statements, payroll etc.) Identify any transactions not yet recorded to obtain accurate budget availability. Indicate this review was performed (i.e. initials or checklist) and file with the supporting documentation. Any discrepancies should be investigated.
- Detail listing of accounts receivable balances should be totaled and compared to the balance shown in the general ledger control account at least once per month. Any errors identified in this process should be corrected.
- A physical inventory of goods for resale should be taken at least annually and a total dollar value determined. The total could then be compared to that shown in the appropriate general ledger control account. The ledger should be adjusted to agree to the actual inventory value. Explanations for the variance should be investigated and documented.
- Reconciliations should be performed timely, be documented and approved by management.
Back to top
PHYSICAL SECURITY (Preventative and Detective)
Basic Principle: All reasonable efforts should be made to safeguard the physical assets of the organization from the risk of loss or damage. Examples of these assets include:
- Cash, checks, securities.
- Machinery, office equipment, furnishings, vehicles.
- Computer hardware, software and data bases.
- Important documents, confidential files.
- Original financial transaction records.
- Inventories of goods for resale, tools, supplies.
Back to top
ACCURACY OF DATA ENTRY (Preventative and Detective)
Basic Principle: Original data entry into production computing systems should be checked, verified or edited in some way to identify errors to ensure accuracy and reliability of the data. The most appropriate or efficient method will depend on the particular computing system and the type of data. Examples of methods used include:
- Comparison of output reports to original data entry documents.
- Built-in computer system edits to check for “reasonableness” of data in key fields.
- Comparison of batch totals of certain statistical data to output reports of matching statistics.
See Application Self Evaluation for further information.
Back to top
621 Skytop Road, Suite 100 • Syracuse, NY 13244-5290 • (315)443-5150