UCR Policies and Procedures

Printer Friendly Version

Campus Policy Number: 250-40

Internal Control Guidelines for Campus Departments

Policy Owner: Internal Audit
Effective Date:9/15/94


      • University of California Business and Finance Bulletins:
      • A-53 "Official Documentation Required in Support of University Financial Transactions"
      • BUS-29 "Management and Control of Inventorial Equipment"
      • BUS-49 "Cashiering Responsibilities and Guidelines"
      • BUS-54 "Operating Policy for University Supply Inventories"
      • G-28 "Policy and Regulations Governing Travel"
      • IA-001 "Internal Control Standards: Introduction"
      • IA-101 "Internal Control Standards: Departmental Payrolls"
      • IA-403 "Internal Control Standards: Issuance and Control of Operating Cash Funds"
      • University of California Accounting Manual Chapters:
      • C-173-61 "Cash: Petty Cash Disbursements"
      • C-557-21 "Contracts & Grants: Federal Cash Advance Programs"
      • D-371-36 "Disbursements: Invoice Processing"
      • I-581 "Inventories"
      • P-196-13 "Attendance, Time Reporting, and Leave Accrual Records"
      • R-212-2 "Receivables Management"
      • National Association for College & University Business Officers:
      • "Internal Control Questionnaire for Colleges and Universities"
      • UCR Policy and Procedures Manual:

      Comprehensive procedural details on departmental operations are located in numerous sections of this policy manual.


    Internal control refers to the methods and procedures used to:

    • Promote operational efficiency and effectiveness.
    • Safeguard assets against loss and unauthorized use of disposition.
    • Ensure the validity, accuracy, and reliability of accounting records and financial reports.
    • Promote adherence to prescribed management policies and procedures.

    It is recognized that the costs associated with internal control should not exceed the benefits derived. Because not all departmental operations have sufficient resources to provide optimal control, estimates and judgments must be exercised to assess the costs, benefits, and risks involved. Given these considerations, adherence to the control guidelines contained in this policy are required to the maximum degree practicable.


    Managers are responsible for:

    • Establishing and maintaining control systems
    • Promoting control awareness
    • Conducting periodic reviews of control system adherence
    • Taking corrective action on control weaknesses

    Achievement of control objectives is aided by:

    • Clearly defined organizational structure and employee responsibilities
    • Written procedures

    Budgetary control is to be exercised through:

    • Comparing actual results to budgeted estimates
    • Determining causes of variances


    Basic principles of internal control include:

      • Separation of Duties:

      No one employee, including a manager, should be in a position to both take unauthorized action or make an error and permanently conceal it. Duties should be separated, transactions independently reviewed, work done in tandem, or management should be actively involved in daily operations to reduce probability that error, mismanagement, or fraud goes undetected.

      • Authorization and Approval:

      Actions should be approved by an employee delegated the authority to do so. Approval of transactions should be documented.

      • Safekeeping of Assets:

      Unauthorized access to assets should be prevented. The employee responsible for asset custody should not also be in charge of the related recordkeeping.

      • Review and Reconciliation:

      Budgets, accounting reports, and records should be reviewed by capable employees to verify that accounting transactions are correct, authorized, and within budgetary constraints.


    The following are specific policies on internal controls for departmental operations of: (a) accounting records, (b) payroll, (c) purchasing and receiving good or services, (d) travel, (e) equipment and other inventories, (f) cash receipts, (g) petty cash funds, (h) billing, (i) cost transfers, (j) distributed information systems.

      • Accounting Records:

      To ensure accuracy and completeness of accounting records and to avoid making decisions on erroneous information, department personnel should:

      • Reconcile DEX 313 entries monthly to source documents
      • Reconcile any internal departmental system records and reports to the DEX
      • Payroll:

      UC's comprehensive policy on payroll controls, Business and Finance Bulletin IA-101, "Internal Control Standards: Departmental Payrolls" should be followed in determining departmental payroll control systems.

      • Purchasing and Receiving Goods and Services:


      1. Separation of Duties

        Under optimal conditions, no employee should have complete control over more than one of these duties:

        • Iinitiating purchase requisitions or sub purchase orders.
        • Approving purchase requisitions or sub purchase orders.
        • Verifying receipt of goods/services and maintaining temporary custody.
        • Approving invoices for payment.
        • Reconciling DEX313 reports.

        A reasonable separation of duties should be established after considering the costs, benefits and available staff.


      3. Authorization and Approval

        Transactions that will generate a payment are to be approved by employees who are: (1) formally delegated authority on a Signature Authorization Form (Form U242), and (2) thoroughly knowledgeable on departmental operations and UC policies.

        In approving transactions for payment, the employee is certifying that the goods/services were indeed received, that accounts charged are proper, and that payment, to their knowledge, has not previously been made.

        Purchasing goods or services for personal use is not allowed.


      5. Safekeeping of Goods Received

        Goods received and awaiting distribution to the end user are to be kept in a secure location. A temporary custodian is assigned safekeeping responsibility.


      7. Review and Reconciliation

        Persons performing the department's receiving function have specific review responsibilities:

        • Determine the actual type, condition, and quantity of goods received, and compare to the shipping documents. Annotate shipping document with initials and date received. Reconcile shipping documents to purchase order or sub-purchase order, and invoice (or payment appearing in DEX313). (This latter step can be performed by the department's DEX reconciler.)
        • Determine that services have indeed been performed in accordance with the rates and terms of the purchase order, consulting agreement, or contract.

        Employees reviewing the DEX should:

        • Have overall knowledge of departmental operations
        • Reconcile DEX313 transactions to source documents monthly
        • Annotate the DEX313 with initials and date to document the review
      • Travel

      UC's comprehensive policy on travel, Business and Finance Bulletin Policy G-28 "Policies and Regulations Governing Travel," should be referred to in determining departmental travel control systems.

      Additional internal controls for travel expenses include:


      1. Separation of Duties

        Under optimal conditions, no employee should have complete control over more than one of these duties:

        • Preparing travel and voucher forms.
        • Approving travel advance and voucher forms.
        • Distributing travel advances or reimbursement checks to employees.
        • Reconciling departmental DEX313 entries.

        A reasonable separations of duties should be established after considering the costs, benefits, and available staff.


      3. Review and Approval

        Travelers should not sign a blank travel voucher before it is prepared. To do so negates the certification given through signing "The above is a true statement of travel expenses incurred by me on official University business on the dates shown."


      5. Safekeeping of Travel Advances or Reimbursement Checks

        Travel advance or reimbursement checks awaiting distribution are to be kept in a secure location; a custodian should be assigned safekeeping responsibility.

      • Equipment and Supply Inventories

      UC's comprehensive policies on inventories, Business and Finance Bulletins BUS-29 "Management and Control of Inventorial Equipment" and BUS-54 "Operating Policy for University Supply Inventories," should be referred to in determining inventory control systems.

      Additional internal controls for equipment and supply inventories include:

        1. Separation of Duties

        Under optimal conditions, no employee should have complete control over more than one of the following groups of duties:

        • Receiving, maintaining, or issuing inventory.
        • Approving the transfer, disposal, or write-off of inventory.
        • Maintaining records of the use, location, disposal, or loss of inventory.
        • Performing periodic physical inventory counts or inspections.

        A reasonable separation of duties should be established after considering the costs, benefits, and available staff.

        2. Inventory Safekeeping

        Measures to safeguard inventory against loss through damage, theft or misappropriation should be proportional to the item's value and removability. Locks, keys, and/or combinations securing movable, valuable inventory are to be changed whenever employees terminate or transfer that previously had been given access.

      • Cash Receipts

      UC's comprehensive policy on handling cash receipts, Business and Finance Bulletin BUS-49 "Cashiering Guidelines and Responsibilities" and UCR Policy and Procedure Manual section 200, Policy 200-12, "Cashiering - Subcashiering & Special Cashiering Station Operations" should be referred to in determining cash receipts controls.

      Additional controls for cash receipts functions should include:


      1. Segregation of Duties

        Under optimal conditions, no employee should have complete control over more than one of the following duties:

        • Receiving and depositing cash (currency, checks, or other negotiable instruments).
        • Recording cash payments to department receivable records.
        • Billing customers.
        • Reconciling cash receipts to deposits and/or DEX313 reports.

        Also, the employee opening departmental mail should not have cashiering responsibilities.

        A reasonable separation of duties should be established after considering the costs, benefits, and available staff.


      3. Safekeeping of Cash Receipts

        Cash receipts may not be maintained in departmental offices on a permanent basis, and may not be deposited in unauthorized or non-University bank accounts.


      5. Other

        Disbursements are not to be made from unrecorded cash receipts.

        Where a receipt is usually not issued to a payer, such as with admission tickets at athletic events, control adequacy should be reviewed with the Campus Cashier Coordinator and the Accounting Officer.

        Daily reports of cash receipts are to be approved by the supervisor. Receipt forms and cash should be reconciled to the report of cash receipts, which is later to be agreed to DEX313 entries.

      • Petty Cash Funds

      The following policies should be referred to in determining appropriate controls for petty cash funds: Accounting Manual policy C-173-61 "Cash: Petty Cash Disbursements," and UCR Policies and Procedures Manual policy 200-72, "Petty Cash Procedures."

      Additional controls for petty cash funds should include:

      • The fund custodian may not make any disbursements without first being satisfied that it complies with University policy.
      • The custodian should balance the fund at least monthly and whenever it is replenished.
      • Billing and Accounts Receivable

      The Accounting Manual Policy R-212-2 "Receivables Management" should be referred to in determining adequate internal controls for billing and accounts receivable functions. The applicability of parts of this policy depend on the extent the department performs these functions.

      • Cost Transfers and Recharges

      UC's comprehensive policy on cost transfers and recharges, Business and Finance Bulletin A-47 "University Direct Costing Procedures" should be referred to in determining adequate control systems for costs transfers and recharges. Controls over cost transfers on Federal contracts and grants should be given special consideration (see UCR P&P Manual section 200, Policy 200-50, "Federal Expenditure Cost Transfers").

      Additional controls for costs transfers and recharges should include:


      1. Separation of Duties

        Under optimal conditions, no employee should have complete control over more than one of the following duties:

        • Preparing cost transfer/recharge documents.
        • Approving cost transfer/recharge documents.
        • Reviewing and reconciling DEX313 reports of recorded cost transfer/recharge activity.

        A reasonable separation of duties should be established after considering the costs, benefits and available staff.


      3. Review and Reconciliation

        Departmental management and Principal Investigators review each monthly financial summary for funds entrusted to them and question unusual activity.

      • Distributed Information Systems

      The term "distributed information system" refers to any information system, either manual or automated, operated by a campus department independent of Institutional Computing.

      The following controls are not intended to be comprehensive, but rather those necessary to provide a reasonable level of control.


      1. General Controls


        1. As a systems development component the department should prepare and retain a written statement of system objectives describing the purpose, functions to be performed, input used, and output produced.


        3. User documentation should be prepared and include the following:

          • System overview.
          • Flow of information through the system.
          • Indication of responsibility for the various system components.
          • Overview of system controls.
          • Data entry, processing, and output procedures and cutoffs.
          • Output distribution, including timing and frequency.


        5. Training and cross training should be provided sufficient to reasonably insure system integrity.


        7. System modifications should be documented.


        9. The existence of a path or trail running form system reports back to the inputter or forward to output reports is referred to as a transaction trail. Transactions trails should exist and be retained in accordance with University retention schedules.


      3. Input Controls

        Control is needed to provide reasonable assurance that data entered into the system is authorized, accurate, and complete.


        1. Controls should be provided to ensure each source document is correctly entered into the system through the use of batching techniques, reconciling to predetermined control totals, or any other method that accomplishes this control objective.


        3. Source documents are marked after entry to assign accountability and protect against re-entry.


        5. Procedures are in place to adequately identify, correct, and resubmit rejected data.


        7. Data entry personnel should not have access to nor custody of related assets.


      5. Processing Controls

        Data entered into a system should be controlled to provide reasonable assurance that data is processed completely and correctly.


      7. Output controls

        Management should be reasonably assured that processed data supports output reports.


        1. Documented procedures exist on balancing and reconciling output reports to inputs.


        3. System users should be provided lists of all transactions entered into the system to facilitate tracing and reconciliation.


        5. Output reports should pass a overall reasonableness test before being used for decision support.


      9. Controls Specific to Automated Systems


        1. The department should have adequate and readily available technical expertise to maintain the system.


        3. System and critical data backup should be maintained in an off-site location.


        5. A contingency plan should exist that can be readily implemented in the event of an extended system failure.


        7. Each user should have, keep confidential, and use a unique password to access the system.