The Internal Controls Self-Assessment for Imprest Checking ... · complete this self -assessment as part of the University-wide compliance testing program. Departments should also

INTERNAL CONTROLS

ASSESSMENT- TO BE COMPLETED

The Internal Controls Self-Assessment was developed as a multipurpose tool to assess a unit’s compliance with internal controls. Selected departments will be asked to complete this self-assessment as part of the University-wide compliance testing program.

Departments should also use the self-assessment as a guide for managing important financial controls within their units. We encourage you to review this document periodically to assess your unit’s compliance with proper internal controls.

SELF-ASSESSMENT

IC v October 2016

IC INTERNALCONTROLS

INTERNALCONTROLSSELF-ASSESSMENT

IC INTERNALCONTROLS

The University of North Carolina at Chapel Hill Internal Controls Self-Assessment

SELF-ASSESSMENT

When your response to a question is either “Not Applicable (NA)” or “No”, it is necessary to provide a written explanation in the comments field.

Department Name: Department Number:

GENERAL CONTROLS

1. The department documents the monthly reconciliation of its ConnectCarolinafund sources and reports.

Yes No NA A yes answer indicates that the department has written evidence (check marks etc.) that Infoporte reports are reconciled and reviewed on a timely basis (within 30 days) by appropriate employees.

Comments:

2. The number and scope of department-authorized approvers are reasonable.

Yes No NA A yes answer indicates that the department has enough authorized approvers so that no one can initiate and approve the same transactions unless a second individual reviews these or reconciles these transactions.

Comments:

IC v October 2016

Page 2 of 21


3. All operating fund sources are budgeted.

Yes No NA A yes answer indicates that all operating fund sources are budgeted in ConnectCarolina. To answer this question the department should review current Infoporte reports to see that every fund source is budgeted.

Comments:

4. The department complies with special terms and conditions of its federal grantsand contracts.

Yes No NA A yes answer indicates that the department filed timely financial and technical reports for all federal grants and complied with any other specific terms and conditions of individual grants such as restrictions on expenditures, amounts or percentages of salaries and benefits charged to a grant, etc.

Comments:

EXPENDITURES

5. The authorization, processing, recording and reconciliation activities are clearlysegregated.

Yes No NA A yes answer indicates that one person does not perform all of these duties and that different individuals authorize and reconcile the account.

Comments:

IC v October 2016

Page 3 of 21


6. Persons authorized to approve expenditures are clearly identified, and allexpenditures are approved in advance by an appropriately authorizedperson.

Yes No NA A yes answer indicates that the department has written policies and procedures identifying the individuals authorized to approve expenditures, and the approval policy is communicated to all appropriate personnel.

Comments:

7. Invoices or request for disbursements are supported by appropriate receipts ordocumentation that indicates receipt of the goods or services.

Yes No NA A yes answer indicates that proper documentation is required and reviewed for approval.

Comments:

8. Business entertainment expense reimbursements are properly authorized andsufficiently documented.

Yes No NA A yes answer indicates that all business entertainment expense reimbursements are approved by an appropriate authorizer. In addition, business entertainment expense reimbursements must be documented (substantiated) by i) an invoice or receipt, ii) a statement as to the reason for the expense, and iii) identification of the persons attending (actual names of individuals if there are eight or fewer attendees.)

Comments:

IC v October 2016

Page 4 of 21


9. Infoporte reports are produced directly and reconciled with disbursementrecords by someone independent of the cashier, payment processing andpayment approval activities (at a minimum reviewed by another individual).

Yes No NA A yes answer indicates that Infoporte reports are reconciled on a timely basis with separation of duties.

Comments:

10. Principal Investigators on grants and contracts exercise appropriate oversight ofthe finances of the project.

Yes No NA A yes answer indicates that:

a.

b.

Personnel charges to grants and contracts are consistent with participation effort.All other expenditures charged to projects are appropriate.

c. Total charges do not exceed funds awarded.d. All charges are in compliance with federal and University policies

and procedures.

Comments:

CASH CONTROLS AND RECEIPTS

11. Cash, check, and payment card receiving, processing, recording andreconciliation functions are clearly segregated.

Yes No NA A yes answer indicates that, at a minimum, another individual is reviewing the reconciliation. In situations where there is only one staff member, the supervisor or department chair should be performing the review function.

Comments:

IC v October 2016

Page 5 of 21


12. Cash, check, and payment card deposits are processed in a timely manner andsufficiently documented.

Yes No NA

A yes answer indicates that the department is in compliance with the Daily Deposit Act and promptly deposits cash and checks (within 24 hours) with the University Cashier. In addition, the department keeps a log of all cash and checks received. Payment card terminals are settled on a daily basis and deposits are created daily in Connect Carolina. Comments:

13. Cash and check deposits and payment card information are kept in a securedlocation.

Yes No NA A yes answer indicates that the deposits and payment card information are in a secure location with restricted access to authorized personnel only. To protect the deposits, they should be kept in a secured (locked) storage area, such as a file cabinet or safe located in an interior locked office.

Comments:

14. Checks are restrictively endorsed upon receipt.

Yes No NA A yes answer indicates that the department restrictively endorses checks (marked “for deposit only, UNC Chapel Hill") as soon as checks are received.

Comments:

IC v October 2016

Page 6 of 21


15. The department’s petty cash funds are necessary and there are procedures forcontrol and reconciliation.

Yes No NA

A yes answer indicates that there are a reasonable number of petty cash funds for the size of the department and that the approved balance for each fund source is approximately equal to a 60-day average of expenditures from the fund source. Also, disbursements from petty cash are supported with proper receipts and are approved by one other than the recipient and petty cash custodian.

Comments:

16. ConnectCarolina fund sources are reconciled and reviewed on a monthly basis.

Yes No NA A yes answer indicates that Infoporte reports are reconciled and reviewed timely (within 30 days). Receipts and expenditures flowing through these fund sources must be appropriate.

Comments:

17. The Pcard (procurement card) is used appropriately.

Yes No NA A yes answer indicates that someone other than the cardholder reconciles cardholders’ statements with receipts, transactions are reviewed by an appropriate person for proper use, and receipts are kept for five full years.

Comments:

IC v October 2016

Page 7 of 21


IMPREST CHECKING (BANK) ACCOUNTS

18. An imprest checking account has been established by the department.

Yes No A yes answer indicates that the department currently has an imprest checking account. If a no answer, please skip to control statement 24.

Comments:

19. Imprest checking accounts have been established per University Policy and thefunds are used only for the University authorized purpose.

Yes No NA A yes answer indicates that the account was specifically authorized, in writing, by the Vice Chancellor for Finance and Administration. It also indicates that imprest funds are not, under any circumstances, used for the payment of stipends, personal services, payments to vendors, or loans and advances to employees.

Comments:

20. Imprest checking accounts are replenished at least once a month to its originalaccount balance when expenditures were recorded during the preceding thirtydays.

Yes No NA A yes answer indicates that at least once a month the account is reimbursed to its original account balance. It also indicates that proper supporting documentation for each disbursement is maintained and includes proper authorization.

Comments:

IC v October 2016

Page 8 of 21


21. The balance of the imprest checking account is in keeping with the approvedpurpose of the account and University policy.

Yes No NA A yes answer means that the balance of the account does not exceed two months average disbursements from the account and the approved purpose of the account is still valid.

Comments:

22. Bank statements are received directly and reconciled with disbursement recordsby someone independent of the cashier, payment processing and paymentapproval activities. (At a minimum reviewed by another individual)

Yes No NA A yes answer indicates that all disbursements were approved by an appropriate signer. In addition, during the reconciliation, the processed check is examined for alterations and signature validity.

Comments:

23. Checkbooks, deposits slips, bank account numbers, and bank statements arekept in a secured location.

Yes No NA A yes answer indicates that the above items are in a secure location with limited access to authorized personnel only. To protect these items, they should be stored in an area that is not visible to unauthorized personnel and they should not be left unattended during the working day. When not being used, these items must be kept in a secured (locked) storage area, such as a file cabinet or safe located in an interior locked office.

Comments:

IC v October 2016

Page 9 of 21


PAYROLL, PERSONNEL, AND BUSINESS EXPENSES

24. Biweekly time sheets correctly reflect hours worked and leave time taken.

Yes No NA A yes answer indicates that biweekly time sheets are correct and verified by a supervisor who has knowledge of the hours worked and leave time taken.

Comments:

25. The department maintains adequate controls of vacation and sick leave forboth SHRA-exempt and EHRA employees.

Yes No NA A yes answer indicates that the department has a formal documented system of tracking vacation and sick time for all exempt employees.

Comments:

26. The department removes terminating employees’ access rights, signatureauthority, and electronic approval capability.

Yes No NA A yes answer indicates that the department communicates to the Access Coordinator the authorization to remove access rights (computer, building, etc.) of terminated employees.

Comments:

IC v October 2016

Page 10 of 21


27. Travel and business expense reports are properly authorized and documented.

Yes No NA A yes answer requires the following: (i) travel and business expense reports have proper documentation which includes business purpose, attendees and receipts; (ii) travel expenses are approved by an authorized person.

Comments:

28. The department does not permit personal employee purchases through theUniversity.

Yes No NA A yes answer indicates that the department does not allow employees to purchase personal items through the University.

Comments:

COMPUTER SECURITY

29. Department is aware that it must immediately report lost or stolen mobile devices(e.g., laptops, smartphones) or security breaches (e.g., computer viruses,hacking attempts) to the IT Response Center at 919-962-HELP.

Yes No NA A yes answer requires that personnel are aware that an incident must be immediately reported to the IT Response Center at 919-962-HELP which operates 24/7.

Comments:

IC v October 2016

Page 11 of 21


30. The storage of sensitive information follows University policy and procedure.

Yes No NA A yes answer indicates that the department never stores sensitive information on a mobile device, including a laptop computer or a smart phone, unless storage on the mobile device has been approved by the Dean (if you are a student) or the head of your business unit (if you are an employee) and the sensitive information is encrypted.

Comments:

31. Only official UNC-Chapel Hill supplied email addresses are used for Universitybusiness.

Yes No NA A yes answer requires that only UNC-Chapel Hill supplied email addresses are used for University business. Auto-forwarding of University email accounts is not allowed. Manual forwarding of individual personal email messages is permitted.

Comments:

32. Workstations are appropriately logged off when left unattended.

Yes No NA

A yes answer requires that workstations are logged off or a timed screen saver with password protection is utilized. The maximum timed setting for screen saver activation is 30 minutes.

Comments:

IC v October 2016

Page 12 of 21


33. Procedures for controlling computer viruses are in place.

Yes No NA A yes answer indicates that an updated anti-virus program is run on a regular basis on workstations and file servers. Procedures for controlling computer viruses are in accordance to ITS policy and are reviewed annually and shared with staff.

Comments:

34. A departmental password policy is in place.

Yes No NA A yes answer indicates that the department has a password policy prohibiting unauthorized use of another's account and password. All passwords used for University systems are changed every 90 days.

Comments:

BUSINESS MANAGEMENT

35. The department maintains a current equipment inventory.

Yes No NA A yes answer indicates the department has a current equipment inventory that includes capitalized equipment ($5,000 & above maintained by Asset Mgt) and also equipment less than $5,000 (usually high risk items that are moveable - i.e. computers, laptops, printers, lab equipment, balances, microscopes, etc). Also, items subject to inventory requirements that are being used at home or other off- campus locations have been recorded on an Off-Campus Use Agreement and Authorization form.

Comments:

IC v October 2016

Page 13 of 21


36. The department is aware of record retention requirements.

Yes No NA A yes answer indicates that the department retains all financial and administrative records for the appropriate amount of time in accordance with the University’s General Records Retention and Disposition Schedule.

Comments:

37. The department maintains a written disaster recovery/ business continuity plan.

Yes No NA A yes answer indicates that the department has a documented disaster recovery plan and that business operations could continue with a minimal disruption after a disaster (such as a fire within a department).

Comments:

38. The department has an organizational chart that defines lines of authority andresponsibility.

Yes No NA A yes answer indicates that the department has an organizational chart that is updated and made available to employees:

Comments:

IC v October 2016

Page 14 of 21

Completing this section of the self-assessment reflects only part of the PCI compliance program and does not, by itself, certify a merchant as PCI compliant.

39. A credit card merchant account has been established by the department.

Yes No

A yes answer indicates that the department currently has a credit card merchant account approved by the CERTIFI committee. If a no answer, please skip to control statement # 50.

Comments:

40. The department has a policy and procedures manual that documents an employee’sresponsibilities and the procedures for processing payments by credit and debit card.

Yes No NA

A yes answer indicates that there is written documentation for payment transaction procedures and for the safeguarding of all financial and personal identifying information.

Comments:

41. The department documents the monthly reconciliation of its SunTrust MerchantServices invoice with actual credit card deposits by using TouchNet, web basedClientLine or custom reports, ConnectCarolina accounts, and daily deposit reports.

Yes No NA

A yes answer indicates that the department has written evidence (check marks etc.) that the SunTrust Merchant Services invoice and other reports (ClientLine, ConnectCarolina reports) are reconciled and reviewed on a timely basis (within 30 days) by appropriate employees.

Comments:

CREDIT CARD MERCHANT ACCOUNTS & PCI COMPLIANCE

Page 15 of 21

IC v October 2016

42. A refund is returned to the original credit card account and is approved by at leasttwo people.

Yes No NA

A yes answer indicates that the department has a written policy in place that specifies that refunds are returned to the original credit card account. The policy also establishes the approval process to initiate a refund by credit card by requiring more than one person’s approval.

Comments:

43. All employees involved in the credit card process have participated in credit cardmerchant training provided by the Finance Division.

Yes No NA

A yes answer indicates that all employees involved in the credit card process have participated in the credit card merchant training provided by the Finance Division and receive this training annually.

Comments:

44. Procedures for controlling computer viruses are in place.

Yes No NA

A yes answer indicates that an anti-virus program is run on a regular basis on workstations and file servers.

Comments:

Page 16 of 21IC v October 2016

45. A departmental password policy is in place.

Yes No NA

A yes answer indicates that the department has a password policy prohibiting unauthorized use of another's account and password, and related disciplinary procedures. In addition, vendor supplied default passwords are changed before installing a system on the network.

Comments:

46. Cardholder data (CHD) is not stored electronically.

Yes No NA

A yes answer indicates that the department does not store any type of cardholder data electronically. CHD is defined as full magnetic stripe or the PAN (Primary Account Number is the payment card number, credit or debit, that identifies the issuer and the particular cardholder account. Also called account number. CHD also includes any of the following; cardholder name, expiration date or service code.)

Comments:

47. Strong access controls to cardholder data and equipment that is used to processtransactions are in place.

Yes No NA

A yes answer indicates that the merchant limits access to system components, cardholder data and equipment to only those individuals whose job requires such access. The merchant also protects devices that capture payment card data from tampering and substitution.

IC v October 2016

Page 17 of 21

Comments:

48. Computers are scanned quarterly using Identity Finder software.

Yes No NA

A yes answer indicates the department uses Identity Finder software to scan computers in order to identify and remediate sensitive, University-owned information.

Comments:

49. The department’s merchant account is PCI compliant.

Yes No NA

Comments:

Page 18 of 21

IC v October 2016

A yes answer indicates that the merchant completes the appropriate Self-Assessment Questionnaire (SAQ) annually; therefore attesting that all requirements of the Payment Card (PCI) Data Security Standard are met.


UNDERSTANDING OF POLICY

50. The use of the University’s resources and services is permitted for partisan politicalactivities under the following conditions;

a. The cost to the University must be negligible.b. The use must not interfere with a University employee's obligation to carry

out University duties in a timely and effective manner.c. Both a and b.d. No employee may use University funds, vehicles, equipment, supplies,

or other resources in connection with partisan political activities.

Reference Policy 105 – Personal Use Policy

51. An overdrawn imprest account will be charged all applicable overdraft fees for eachday the account is overdrawn. Who is responsible for maintaining apositive cash balance in the account?

a. Accounting Servicesb. Department (registered custodian of the account)c. Controller’s Office

Reference Policy 306 – Imprest Checking (Bank) Accounts

52. In order for a department to surplus computing devices, they;

a. Should only do so in accordance with the Campus Standards forElectronic Media Disposal.

b. Must first properly sanitize all electronic media.c. Should keep the devices physically secure until transfer to University

Surplus.d. Both a and c.e. All of the above (a, b, & c).

Reference Campus Standards for Electronic Media Disposal

53. Travel by senior University administrators shall be authorized in advance by theadministrator’s supervisor or the person designated to do so. The exception tothis is:

a. Travel by a Dean of the Universityb. Travel by the Chancellor of the Universityc. In-state day travel by a senior University administrator

Reference Policy 1303 – Authorization for University Travel

IC v October 2016

Page 19 of 21


54. Which of the following statement is NOT true with regard to deposits?

a. The Daily Deposit Act, General Statute 147-77 requires daily deposit of fundsreceived by the University.

b. Since credit card receipts are transferred directly to the bank; it is notnecessary for a Daily Cash Transmittal to be completed in order for thereceipts to be attributed to the appropriate department account.

c. The Daily Deposit Act, General Statute 147-77 allows for noncash receiptsthat accumulate to less than $250 within a week to be deposited on aweekly basis, rather than a daily basis.

d. Deposits for contract and grant accounts should be forwarded directlyfrom the department to the Office of Sponsored Research, subject to theDaily Deposit Act.

Reference Policy 302 – General Receipts and Deposits

IC v October 2016

Page 20 of 21


CERTIFICATION

Comments:

Completed by: (signature) (telephone)

Name & Title: (please type)

Email: Date:

Approval of Chair, Dean, or Director: (signature)

Name & Title: (please type)

Email: Date:

IC v October 2016 Assessment – To Be Completed

Page 21 of 21

Documents

The Internal Controls Self-Assessment for Imprest Checking ... · complete this self -assessment as part of the University-wide compliance testing program. Departments should also