Embed Size (px)
Citation preview
Internal Control Guide I 3
There are two primaryschools of thought in devel-oping an audit approach:
■ One viewpoint is to assume that everyone is look-ing for ways to “beat the system”; therefore, theauditors devise audit steps that focus on findingevidence of wrong-doing.
■ The other approach is to assume that most peopletake pride in their work and want to do the rightthing—they just need to know what is expected of them and have the information and tools available to allow them to successfully carry out their responsibilities. In this case, the auditor’sapproach is to examine areas of high risk and focuson ways these risks can be most effectively and efficiently mitigated.
I’m pleased to say that the latter is the vision, philoso-phy, and progressive approach we have adopted in theDepartment of Internal Auditing at Georgia Instituteof Technology.
As we have canvassed the campus conductingaudits and collaborated with colleagues throughouthigher education, we have compiled perspectives andobservations of “best practices” in handling many of
the areas of risk that most units (departments, schools,etc.) encounter. This is not a policies and proceduresmanual – there are already many valuable policies andprocedures which outline business rules. Our goalwith this document, instead, was to compile ourobservations and recommendations on best practicesin managing business risks and creating effective andefficient systems of internal control.
In establishing solid risk mitigation procedures andstrong systems of internal control, faculty and staff arethen free to advance their units’ missions towardsachieving their strategic goals.
This will be a living document and will be updatedfrequently so we encourage visits to our web site tocheck for updates and revisions. We welcome ques-tions and feedback regarding the information con-tained herein, particularly comments regarding howthis may be more useful.
We express our appreciation for the support fromthe Office of the President, the Executive Staff, and themany subject matter experts around campus who haveprovided input and feedback on this document. Thiscollaborative approach with senior managementdemonstrates the Institute’s commitment to ensuringits administrative processes are on par with the highstandards of excellence Georgia Tech is known for inits academic and research initiatives.
Robert N. Clark Jr., Director
Introduction
Internal Control Guide I 5
Areas of Financial Risk 6
I. Accuracy of Financial Records 7II. Sponsored Programs 9III. Capital Assets 12IV. Foundation Funds 15V. Travel 18VI. Cash & Receivables 20VII. Distribution & Control
of Payroll Advices 23VIII. Procurement 24IX. Communications 26X. Risk Management 28
Areas of Human Resources Risk 30
XI. Leave Reporting 31XII. Off-Campus Assignments 33XIII. Employment Eligibility Verification 34XIV. Sexual Harassment 36XV. Consultants vs. Employees 38XVI. Compliance with Equal
Employment Opportunity Laws 40XVII. Annual Performance Evaluations 41
Areas of Legal & Regulatory Risk 42
XVIII. Contracts 43XIX. Gifts 44XX. Open Records Act 45
Areas of Health & Safety Risk 46
XXI. Safety of Workplace 47XXII. Chemical Safety 49XXIII. Hazardous Waste 51XXIV. Biological Safety 52
Areas of Information Systems Risk 53
XXV. Strategy and Vision 54XXVI. Operations/Administration 56XXVII. Logical Security 58XXVIII. Physical Security Controls 61XXIX. Environmental Controls 63XXX. Training 65XXXI. Data Stewardship 66XXXII. Documentation 68XXXIII. Equipment Maintenance 70XXXIV. Back-up and Recovery 72XXXV. Software Licensing 74XXXVI. Web Site Operation/Development 76
Areas of Public Relations Risk 77
XXXVII. External Communications/Media Relations 78
XXXVIII. Association withExternal Organizations 79
Areas of Risk Dealing with Students 80
XXXIX. International Student Employment 81XL. Sexual Harassment 83XLI. Protection of Student Information 85
Areas of General Risk 86
XLII. Policies and Procedures 87
Table of Contents
30 I Internal Control Guide
Copyright 2003 • Georgia Institute of Technology • Institute Communications & Public Affairs • T0411000An equal education and employment opportunity institution
Areas of Human Resources RiskSections XI-XVII
Leave Reporting(Last revised 03/03/03)
Description of Risk: Improper compensation couldresult from inaccurate vacation/sick leave recordkeeping, which may be immaterial individually butmaterial for the Institute as a whole.
Criteria: The Institute’s Human Resources Policies andProcedures Manual, Section 2, entitled Attendanceand Time Off, contains descriptions and policiesregarding types of leave available to employees (see http://www.admin-fin.gatech.edu/human).
An August 13, 1997, memorandum from the sen-ior vice president for Administration and Financeand the provost and vice president for AcademicAffairs to all campus units spells out the Institute’sleave record-keeping and reporting requirements.This memorandum specifies that campus unitsshould have a system that includes the following:1) the maintenance of leave records; 2) at leastmonthly reporting by all faculty/staff; 3) monthlyreporting or updating of the unit’s official Instituteleave records; and 4) the sharing of leave balanceswith employees regularly to verify the accuracy ofsuch balances. (We suggest each employee check thebalance listed on his/her payroll advice as a meansof compliance with this step.)
Auditor’s Overview: The purpose of reviewing thisarea is to ensure that campus units have in place asystem that ensures accuracy of vacation and sickleave by all applicable employees.
Best Practices:
1. Communicate the internal leave reporting practicesto unit employees.
2. Designate an individual (and alternates) within theunit the responsibility for reporting monthly leavebalances by unit employees.
3. Update records monthly.4. Maintain monthly leave balance supporting
documentation. 5. Notify individuals who have not reported their
monthly leave balances.6. Monitor timekeeping and appropriate use of time
documents for hourly paid employees to ensurecompliance with the Fair Labor Standards Act. See http://www.admin-fin.gatech.edu/human/compensation/040900.html.
Process
Monthly Leave Reporting
The unit head should ensure that faculty and staffunderstand their responsibilities regarding monthlyleave reporting. This may be accomplished by compos-ing, approving, and distributing internal written poli-cies and procedures to the unit. We review internalleave reporting policies and procedures for severalareas: how vacation and sick leave is processed, report-ing and certification requirements, and confirming peri-odically with employees that leave records are correct.For example, this confirmation may be accomplishedby using the paycheck or pay advice stub to verifyvacation and sick leave figures. Employees should beencouraged to check these figures at each pay periodand report any discrepancies to their supervisor.
Internal Control Guide I 31
XI.
Reporting
The PeopleSoft system is utilized to record monthlyleave balances for the Institute. In order to enter timeinto the PeopleSoft system, an individual must complete the tutorial for vacation/sick leave entry.PeopleSoft – Vacation/Sick Leave Training may beobtained through the Georgia Tech Web Page athttp://training.gatech.edu.
We recommend the unit designate at least threeindividuals to be trained to record vacation/sick leavetime to ensure that any absences do not impact themonthly reporting of leave.
Related Issue
Termination/Retirement: When an employee resignsor retires, payments for accrued vacation leave orcredit for sick leave are to be based on the officialInstitute leave balance as supported by the unit’sback-up leave records.
32 I Internal Control Guide
XI.
Off-Campus Assignments(Last revised 08-27-02)
Description of Risk: Failure to comply with Board ofRegents and Institute policies and proceduresregarding off-campus assignments could subject the Institute to risk of loss from compensatingemployees for activities that are not conducted inthe best interest of the Institute, and could result innegative publicity.
Criteria: The Board of Regents Academic AffairsHandbook, Section 4.05.01, discusses “ProfessionalLeaves of Absence” at http://www.usg.edu/admin/accaff/handbook/section4/4.05/4.05.01.phtml.
Georgia Tech “Policy on Absences from Campusfor Professional Activities” as of February 22, 2000,developed by the Task Force on Campus Absences,contains detailed policy for faculty, as follows:Georgia Tech Faculty Handbook, Section 2.8.2.2(b).Professional leaves of absence are governed by the following:
For eligible staff, Institute policy in HumanResources Policies and Procedures Manual, Section 2.0Attendance and Time Off; Subsection 2.11 on Leave of Absence; and 2.12 on Family Leave have many of the same policies and approvalrequirements as the faculty leave provisionsdescribed above.
Auditor’s Overview: The purpose of reviewing thisarea is to ensure that campus units have in place asystem that ensures that off-campus assignmentsare reported, documented, approved in advance,and monitored.
Best Practices:
1. The unit head communicates, in written policiesand procedures, the internal process for acceptabledocumentation and approval of absences from thecampus for professional and other activities.
2. All faculty and staff members should be aware of Board of Regents and Institute policies and procedures regarding off-campus assignments.Periodic reminders during faculty and staff meetings will serve to reinforce Board of Regentspolicies and procedures.
Process
Internal Process for Professional Leaves of Absence
Responsible unit staff should familiarize themselveswith Board of Regents and Institute policies and pro-cedures pertaining to professional leaves of absence.
The unit should communicate to employees on a periodic basis the Institute’s policy pertaining to professional leaves of absence. This may be accom-plished through reminders at faculty/staff meetings,correspondence with employees, or through unit inter-nal procedures manuals. A designated person in theunit should establish a procedure to ensure the receiptof all requests for professional leaves of absence. The designated person should ensure that the unitobtains required approvals of professional leaves ofabsence and that such approvals are documentedwithin the unit.
Internal Control Guide I 33
XII.
Employment Eligibility Verification(Last revised 07-10-03)
Description of Risk: Failure to complete and maintainrequired documentation for employees of theInstitute could subject the Institute to fines andpenalties imposed by the U.S. Immigration andNaturalization Service, a hold put on hiring of non-resident aliens, as well as adverse publicity.These documents are subject to review duringaudits by the U.S. Department of Labor, Office ofFederal Contract Compliance Programs.
Criteria: The Immigration Reform and Control Act of1986 requires employers to verify the identity andemployment eligibility of anyone hired afterNovember 1986. It is unlawful to knowingly hire,or to continue to employ, any individual notauthorized to work in the United States. Form I-9,Employment Eligibility Verification, was developedfor verifying that persons are eligible to work in theUnited States. Institute requirements call for a newemployee to complete Form I-9 and other requiredforms at the time of employment. Also, policyrequires the tracking of expiration of employmentauthorization documents held by non-residentaliens. Institute hiring departments are responsiblefor advising new employees of the time frame anddocumentation required to complete or updateForm I-9.
Auditor’s Overview: The purpose of reviewing thisarea is to ensure that campus units advise newemployees of the need to contact Human Resourcesto complete Form I-9, before they work in the unit.
Best Practices:
1. The unit head empowers one person with theresponsibility and authority to advise new employees regarding the completion and updating of Form I-9.
2. The appointed administrator advises new employeesthat they are to report to Human Resources to com-plete required paperwork, including Form I-9, beforethey are permitted to work in the unit.
3. The appointed administrator establishes the appro-priate contact with the Office of Human Resourcesin order to be informed on the tracking of expira-tion of employment authorization documents heldby non-resident aliens in the unit. The unit admin-istrator advises applicable personnel of the need toupdate I-9 forms.
4. The unit head appoints an employee within theunit to ensure compliance with the ImmigrationReform and Control Act of 1986, which requiresemployers to verify the identity and employmenteligibility of new employees.
Process
The appointed administrator should put a process inplace to ensure compliance with the ImmigrationReform and Control Act. Some things an administratormight do to implement a compliance process includethe following:
■ Familiarize him/herself with the policies and pro-cedures contained on Georgia Tech’s Web page. See “Offices and Departments, Human Resources,Non-U.S. Citizens, The I-9 Process: EmploymentEligibility Verification” for guidance on completingForm I-9.
■ Formalize an approach for assuring compliancewith Form I-9 procedures.
34 I Internal Control Guide
XIII.
■ Communicate procedures to staff as applicable.
■ Communicate the Form I-9 requirement to staff inpre-employment correspondence and when they initially report to the unit.
■ Establish lines of communication with the Office ofHuman Resources in order to track and notify thosewho are not United States citizens of the expirationof work authorization documents and the need toupdate Form I-9.
Internal Control Guide I 35
XIII.
Sexual Harassment (Last revised 03/03/03)
Description of Risk: Sexual harassment can 1) alienateemployees; 2) create a hostile work environment; 3) result in lawsuits, fines, and penalties for viola-tions; and 4) cause adverse publicity.
Criteria: It is the policy of this Institute that no memberof its community, including administrators, faculty,staff, or students, should be subjected to sexualharassment by another. This policy is intended tocreate an atmosphere in which individuals whobelieve that they are the victims of harassment areassured that their complaints will be dealt with fairly and effectively. Toward this end, the GeorgiaInstitute of Technology supports the principle thatsexual harassment represents a failure in ethicalbehavior, and that sexual exploitation of professional relationships will not be condoned.
Sexual harassment is defined as unwelcome sex-ual advances, requests for sexual favors, and otherverbal or physical conduct of a sexual nature when:1) submission to such conduct is made, eitherexplicitly or implicitly, a term or condition of anindividual’s employment or academic standing; or2) submission to or rejection of such conduct isused as the basis for employment or academic decisions affecting the individual; or3) such conduct has the effect of unreasonablyinterfering with an individual’s work or academicperformance or creates an intimidating, hostileworking or academic environment. Both men andwomen may be either the initiators or victims ofsexual harassment.
Complaints are to be directed to the director of Diversity Management for faculty and staffmembers, and to the dean of students for students.Institute officials may require an investigation.
The associate vice president for HumanResources or the vice president for Student Affairswill review the results of the investigation and takeor recommend appropriate disciplinary and/orother action. Individuals subject to disciplinaryaction may exercise their appeal rights pursuant tothe procedures set forth in the Faculty Manual, theClassified Employee Handbook, or the StudentConduct Code as appropriate.
Auditor’s Overview: The purpose of reviewing thisarea is to ensure that campus units have in place asystem that communicates with staff and studentsthe importance of an environment free of sexualharassment and a means of dealing with situationsin which a person believes they have been subjectedto sexual harassment.
Best Practices:
1. The unit head communicates the importance of theprevention of sexual harassment in the unit on aperiodic basis.
2. An individual or individuals within the unit aredesignated as contact points for employees whoneed to be referred to the appropriate level forcounsel in instances where they believe they havebeen sexually harassed.
3. All faculty and staff should be trained on preventingsexual harassment. See http://www.training.gatech.edu/main.html.
36 I Internal Control Guide
XIV.
Process
Sexual Harassment Prevention Procedures
Ensure that everyone in the unit understands theInstitute’s policy, which states that no member of itscommunity should be subjected to sexual harassmentby another, and if an employee or student believesthey have been subjected to such harassment, there isa means to deal with the matter fairly and effectively.
■ Responsible unit staff should familiarize them-selves with the Institute’s sexual harassment policyand procedures. The Institute’s policy can be foundin the following:
Faculty Handbook, Section 1.4.4.1 HumanRelations Policy at:http://www.academic.gatech.edu/handbook/hand-book1.html#s1p4p4
Page 6 of the Classified Employee Handbook at:http://www.ohr.gatech.edu/policies/handbook.pdf
Section 7.5 of the Human Resources Policies andProcedures Manual at:http://www.ohr.gatech.edu/policies/index1.html
■ The unit should communicate to all employees, on a periodic basis, the Institute’s policy on sexualharassment. This may be accomplished throughreminders at faculty/staff meetings, correspon-dence with employees, or through unit internalprocedure manuals.
■ Unit heads should encourage employees to attend training on sexual harassment offered by the Institute.
■ Deal effectively and fairly with any complaints of sexual harassment in accordance with Institute policy.
■ No member of the community may under any circumstances use Georgia Tech’s computers or network to create a hostile work environment.
Internal Control Guide I 37
XIV.
Consultants vs. Employees (Last revised 10-16-02)
Description of Risk: Improper classification of inde-pendent contractors/employees could result in the Institute being out of compliance with InternalRevenue Service (IRS) regulations, thereby increas-ing the liability of tax penalties and fines, as well as negative publicity.
Criteria: Georgia Tech’s Business and Finance Policiesand Procedures Manual, Section 5.3.3.1 (seehttp://www.admin-fin.gatech.edu/business/purchasing/0500331.html) provides guidelines for making pay-ments to individuals who are not employees of theInstitute. When the Institute is required to makepayments to individuals, a determination must bemade to ensure that payment clearly meets the IRSdefinition of independent contractor. Any individ-ual who performs services for the Institute is pre-sumed to be an employee unless the relationshipsatisfies the IRS standards for independent contrac-tors. The campus unit must examine the issue ofwhether an individual is an employee or independ-ent contractor because of the familiarity of the relationship. If the answer to any of the followingquestions is “yes,” the individual must be treatedas an employee.
■ Does the individual provide essentially the sameservice as an employee of the Institute?
■ Is the individual a current employee (or withinthe previous twelve months) of Georgia Techproviding the same or similar services?
■ Is it expected that the Institute will hire this indi-vidual as an employee immediately following thetermination of his/her services as a consultant?
■ Does the Institute control how the individualwill perform or accomplish the service?
■ Will the individual supervise or control Instituteemployees in accomplishing the service?
If any of the above questions are answered “yes,”or if there is any doubt regarding the issue, thecampus unit should consult with the Office ofHuman Resources. If there is uncertainty about anyof the questions, the Office of Legal Affairs must becontacted for assistance. If all answers to the ques-tions above are “no,” the individual may be paid asan independent contractor.
Auditor’s Overview: The purpose of an audit in this area is to ensure that campus units, when contemplating payments to an independent con-tractor, make a determination to ensure that such payments clearly meet the IRS definition of inde-pendent contractor.
Best Practices:
1. Management should designate an individual tomonitor instances where payments are contemplatedto an individual as an independent contractor to ensure that a determination is made in eachinstance that such payments are in accordance withIRS guidelines.
2. If, when contemplating payments to an independ-ent contractor, any question in the Institute policy is answered as “yes,” Human Resourcesshould be contacted regarding hiring the person asan employee.
38 I Internal Control Guide
XV.
Process■ The unit head should designate a person responsi-
ble for assisting with the monitoring of instanceswhere the unit contemplates payments to an inde-pendent contractor.
■ The unit head should empower the designated per-son to deal with Human Resources or Legal Affairson questions regarding contemplated payments toindependent contractors.
■ The designated person should bring to the unithead’s attention any instance where in applying thefive Institute questions regarding independent con-tractors, a “yes” answer is obtained. The unit headshould be advised to hire an individual as anemployee if any of the applied questions result in a“no” answer.
Internal Control Guide I 39
XV.
Compliance with Equal Employment Opportunity Laws(Last revised 03/07/03)
Description of Risk: The Institute could be subjectedto legal actions if the Equal EmploymentOpportunity Laws are not complied with, resultingin monetary penalties and/or adverse publicity.
Criteria: Georgia Tech is committed to affirmativeimplementation of equal employment opportunityin conjunction with an Equal Opportunity Programthat is in keeping with this policy. The Institute willcontinue to recruit, hire, train, and promote into alljob levels the best qualified persons without regardto race, color, religion, sex, or national origin.Similarly, all other personnel matters such as compensation, benefits, transfers, layoffs, Institute-sponsored training, education, tuition assistance,and social and recreational programs will continueto be administered in accordance with theInstitute’s policy. Each administrative officer of theInstitute at every supervisory level is responsiblefor avoiding prohibited bias in the workplace withregard to race, color, religion, sex, national origin,disability, or veteran status. This criterion is in theHuman Resources Policies and Procedures Manual,Section 1.1.
Auditor’s Overview: The purpose of an audit in thisarea is to ensure that campus units have in place aprocess that assures compliance with the EqualEmployment Opportunity Laws.
Best Practices:
1. Management has developed and communicated to employees policies and procedures that detailthe requirements of Equal EmploymentOpportunity Laws. For more information, see http://www.admin-fin.gatech.edu/human/.
2. Management has communicated the importance ofEqual Employment Opportunity (EEO) to the entireunit, enlisting their full cooperation.
3. The unit’s hiring and other personnel proceduresare administered without regard to race, color, religion, sex, or national origin.
4. Training is administered to managers and supervi-sors on preventing discrimination.
5. Training is administered to managers and supervi-sors on conflict resolution.
6. Periodic climate assessments that include EEOissues are completed. For assistance with theseassessments, contact the Office of DiversityManagement athttp://www.diversity.gatech.edu/diverse.html.
7. Consistency in application of work rules, processes,and disciplinary actions is maintained.
Process■ The unit head should designate a person responsi-
ble for assuring compliance with the EqualEmployment Act in all unit personnel actions.
■ The unit head should develop written policies andprocedures that detail the requirements of theEqual Employment Opportunity Act and a writtenplan for the development of unit personnel.
■ The unit head should communicate the EqualEmployment Opportunity Act procedures to allemployees, and emphasize the importance of theEqual Employment Opportunity Act, enlisting theirfull cooperation.
■ The unit head should serve as the final checkpoint,assuring that all personnel actions are administeredfairly, without regard to race, color, religion, sex, or national origin.
40 I Internal Control Guide
XVI.
Annual Performance Evaluations(Last revised 03/03/03)
Description of Risk: If the unit fails to properly prepare annual performance evaluations for all employees, they may not have a basis for personnel decisions.
Criteria: Georgia Tech policy is reflected in Section 4.5of the Human Resources Policies and Procedures, datedJanuary 1, 2003: Performance Appraisal Process.The 2003 classified performance appraisal processwill include notification to units by OHR of indi-vidual appraisals that have not been received withappropriate ancillary notification. Following areobjectives of the appraisal system:
■ Provide employees with a sense of their workaccomplishments relative to expectations andpredefined performance indicators.
■ Support employee development through discus-sion of assigned opportunities and training.
■ Emphasize the Institute’s commitment to continuous improvement and learning.
■ Encourage an appropriate relationship betweenpay levels and work performance.
■ Avoid surprises; keep lines of communicationopen.
Board of Regents’ policy, as stated in Section3.3.1 of the Faculty Handbook, requires that all facultymembers receive an annual, written review by theirunit head. In addition, the faculty member is to discuss the review with the unit head and sign astatement noting that the faculty member hasreceived the written review. The faculty memberhas the opportunity to respond, in writing, to theevaluation and receive a written response from thesupervisor to the comments of the faculty member.Both the faculty member’s comments and theresponse will then become part of the record.
Auditor’s Overview: The purpose of an audit in thisarea is to ensure that campus units have in place aprocess that ensures the accomplishment ofemployee performance evaluations in accordancewith Institute policy.
Best Practices:
1. Ensure that everyone responsible for employeereviews has had appropriate training. More information on training can be found at the Officeof Organizational Development Web site:http://www.training.gatech.edu/main.html
2. Management has developed and communicatedpolicies and procedures to employees that detail the requirements of annual performanceevaluations.
3. Establish specific performance goals and objectives annually.
4. Establish an annual employee development plan.5. Provide regular communications and feedback
on performance.
Process■ The unit head should designate a person responsi-
ble for assisting with the monitoring of the annualperformance evaluation process and the accumula-tion of the required documentation in order to meetthe Institute’s schedule.
■ The unit head should develop policies and proce-dures that detail the requirements of the annualperformance evaluation process.
■ The unit head should communicate the annual per-formance evaluation procedures to all employees,enlisting their full cooperation.
■ The unit head should serve as the final checkpointfor all performance evaluations, assuring that allevaluations are administered fairly, without regardto race, color, religion, sex, or national origin.
Internal Control Guide I 41
XVII.
