Synopsis of Internal Control FY 2011

This is the second in a series of updates designed to keep each of you aware of various internal control issues that affect the University, your department and you. The foundation for these updates is recent Internal Audit Reports as well as news articles that describe conditions encountered at other universities or government agencies.

The basic premise is that we all can learn from the mistakes of others. Internal Audit reports provide a wealth of information about what went wrong and what steps should be taken to correct the situation and to prevent reoccurrences. While the facts and circumstances may vary, we can learn about a variety of internal controls not from a theoretical standpoint but from real life situations encountered here or at other universities and government agencies.

To start, let's take a look at what internal control is and who is responsible for internal control at the University. According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), internal control is a process, effected by an entity's board, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations;
• reliability of financial reporting; and
• compliance with applicable laws and regulations.

Furthermore, the Arizona Board of Regents adopted policy #6-711 entitled "Internal Control Responsibilities" in October 2007 and the corresponding guidance for implementation to highlight the importance of and responsibility for internal controls within the Arizona system (see ABOR Policy 6-711 and Guidelines for Implementation of Policy 6-711). Essentially, they indicate that the president and the senior management of each university are responsible for establishing the internal control structure and for providing relevant information regarding policies and controls to all university personnel. Academic and nonacademic administrators and staff at every level are responsible for compliance with university and board policies and controls.

Next, I would like to share, in part, an article written by M. Kevin Robinson from the February newsletter produced by the Department of Internal Auditing at Auburn University.

Often the best solutions and internal controls are the most basic. Sometimes I believe we, as auditors, overly complicate things with internal control models and complicated terms when really just the basic and simple is the best control. For example, in my opinion the single best internal control any department or organization can implement is this: having managers and staff trained to pay attention to detail and follow-up on things that appear unusual.

At La Salle University a multi-million dollar fraud case occurred over more than 10 years. In this case the former director of food services set up a bogus company and began invoicing the university. The fraud was discovered when the perpetrator used the same invoice number twice. A conscientious and alert clerk noticed the duplicate number when processing the payment request and began asking questions. Noticing this discrepancy and then following up with questions ultimately lead to an investigation and conviction.

So often over the years we have been involved in compliance failures of some kind where employees or managers did not pay attention, or if they did, failed to follow-up with questions. This is really your first line of defense in managing risk proactively. Ensure that you and your employees pay attention and follow-up on those unusual things you observe. Simple can sometimes be the most effective.

Finally, I would like to share with you a synopsis of select University of Arizona Internal Audit reports issued from 2009 - 2010. The selection was made to highlight certain issues – cash handling, unallowable expenditures, itemized receipts, inventory, PCard and use tax, and signature authority. These summaries are being issued in conjunction with the Internal Audit Department who provided their input to insure that any paraphrasing does not distort the original findings and recommendations. Thanks to Sara Click and her staff for their assistance.

Synopsis of Internal Audit Report Findings

Cash Handling

Finding: Thirty-six percent of the departments in one of the colleges reviewed had weaknesses in cash handling and receiving procedures. The college collected revenue for a variety of reasons and the departments with weaknesses identified processed approximately 21% of the college's revenues. Departments identified as having weaknesses were not aware of the detailed cash handling procedures or had not assigned adequate staff to participate in the receiving, recording and depositing process.

Recommendation: Train employees performing cash handling duties and adhere to the University's Cash Receiving Policy to ensure that all funds received are deposited completely and timely.

Learning Points: With recent reorganizations and reductions in staff experienced by many colleges and departments, there is an even greater need for you to periodically review and compare the University's Cash Receiving Policy to the cash handling processes in the areas for which you are responsible. Without appropriate controls in place to prevent or detect missing funds; cash, checks and credit card payments are subject to loss, theft, or misuse.

Unallowable Expenditures

Finding: During an audit of American Recovery and Reinvestment Act (ARRA) expenditures and reporting, six unallowable expenditures were identified. One purchase was for office supplies that were not solely used by the ARRA award. Two were for collision damage insurance waivers (CDW), which is not allowable for renters over the age of 25 driving rental cars in the United States. Three travel reimbursement expenditures did not comply with the University of Arizona's travel policy regarding per diem meal reimbursement and maximum allowable lodging rates per night.

Recommendation: Obtain repayment from the travelers for the unallowable CDW insurance and travel reimbursements. Remind employees about University expenditure policies; monitor for compliance.

Learning Points: In this case, department reviewers and authorizers did not identify the unallowable expenditures prior to approving the documents. All reviewers and authorizers working with sponsored projects should periodically review both Sponsored Projects Compliance information as well as University Expenditure Policy 9.10. Similar to the article above, sometimes the best control is to just pay attention to detail and follow-up on anything you find unusual or that you question. Review policy and procedure information available on the University website or contact the appropriate department or office directly to resolve any uncertainties.

Itemized Receipts

Finding: In the same ARRA audit as above, original itemized receipts were not available in support of five reimbursements/purchases that were charged to an ARRA award. Two of the five were PCard purchases; the PCard Missing Receipt Form was not completed and submitted to FSO Financial Compliance, as required. The other three were travel claim reimbursement requests for lodging wherein itemized hotel receipts were not attached to support the reimbursement request.

Recommendation: Remind travelers and PCard holders of the requirement for original, itemized receipts; monitor for compliance. Prepare PCard Missing Receipt Forms for the unsupported PCard purchases. As allowed by the Financial Policies & Procedures Manual, prepare a letter, approved by the department head, approving the missing itemized receipts for lodging charges and include other available documentation, such as a credit card receipt or cancelled check.

Learning Points: Here, PCard holders and the travelers did not follow University documentation requirements when submitting expenditure documentation. The department reviewer and approver did not scrutinize the receipts provided in order to catch the noncompliance. Noncompliance with University policy results in the costs being unallowable for payment from a federal award. This also relates to the article above, in that, managers and staff must pay attention to detail even when performing routine daily tasks.

Inventory

Finding: A department carried a stock of medical devices and accessories for sale. The inventory was not monitored, counted, and reported in compliance with University policy. Changes in
inventory were not reconciled to sales records and inventory on hand was not reported at fiscal year end.

Recommendation: Reconcile changes in inventory to sales records. Follow all University procedures for performing physical inventory and reporting inventory on hand at fiscal year end.

Learning Points: As colleges and departments continue to seek and implement new sources of revenue, inventory procedures can easily be overlooked. I would encourage you to look at revenue sources, especially any newly implemented ones, in all of the areas you are responsible for to determine if inventory procedures are necessary and in place. Additionally, at year end remember to watch the FSO website for any special year end instructions on inventory, accounts receivable, deferred revenues, prepaid expenses and deposit information. Contact FSO with any questions.

PCard and Use Tax

Finding: In an audit of one department, issues were found with use tax assessments on service and/or tax exempt purchases that resulted in unnecessary charges to departmental accounts. Use tax was unnecessarily assessed on 35% of the sampled PCard purchases.

Recommendation: Re-train PaymentNet reconcilers and approvers about the importance of correctly identifying service/tax exempt purchases in PaymentNet; monitor for compliance. Additionally, management should evaluate whether prior use tax assessments should be reviewed and corrections made as necessary. Should management determine that use tax corrections should be made, contact FSO for assistance.

Learning Points: Even though PaymentNet reconcilers and approvers are required to take PCard training, in this case they were unaware of the policy regarding service and/or tax exempt purchases and the requirement to check the "Service/Tax Exempt" button in PaymentNet to prevent any unnecessary assessment of use tax. Use tax procedures have changed with the implementation of UAccess Financials and I encourage you to inquire with reconcilers and approvers in the areas you are responsible for and ensure they understand how to review use tax. If issues are identified, refer them to the Purchasing Card Reconciliation Fiscal Officer Approval Supplemental Information or contact Pcard Administration. Also, if use tax corrections are necessary, contact FSO for assistance.

Signature Authority

Finding: A department head signed a memorandum of understanding (MOU) that committed the department to work with two community organizations to operate a business. The department head was not an authorized signer for the University.

Recommendation: Contact the University Contracting Office and Sponsored Project Services for further guidance on the MOU.

Learning Points: In this case the department was not aware that an authorized signer should sign the MOU. Arizona Board of Regents Policy 3-103 authorizes the University of Arizona president to delegate authority to execute contracts to the appropriate university officials. Furthermore, the Contracting Office's procedures prohibit employees from signing any agreement without contacting the Contracting Office. So if you have a question regarding who can sign, follow-up by contacting the Contracting Office prior to execution.

In the end, internal controls touch all of us and we all have a responsibility to comply with the Arizona Board of Regents' and the University of Arizona's policies and procedures. We should all follow the example from the news article above by paying attention to detail and when we run across something unusual or something that we question, follow up. Please share this with your staff, as appropriate, and keep the news article and the Internal Audit examples above in mind as you periodically review the internal controls in your own areas.