The JMU Control Self-Assessment is not an all-inclusive list of internal controls. Internal controls must be tailored to fit specific processes in each department. Instead, this self-assessment should be used as a general guide to help managers ensure basic internal controls are in place. A "yes" answer indicates that a desired control is in place; a "no" answer indicates that a control weakness may be present, and corrective action may be necessary. Keep in mind that some questions may not be applicable to all operations.  If you have any questions or would like assistance conducting an internal control self-assessment, please call Audit and Management Services at 8-6400.    

General Controls

  1. Does the department maintain written, up-to-date departmental procedures?
  2. Are employees aware of the requirements in the Financial Procedures Manual?
  3. Are all employees aware of University Policies?
  4. Do employees attend training offered by the university (Finance, Human Resources, etc.)?

Cash Receipts

  1. Are cash receipts entered into a cash register (or recorded on pre-numbered receipt forms) with a receipt copy given to the payer?
  2. Is a restrictive endorsement placed on incoming checks as soon as received?
  3. Are all checks made payable to the university?
  4. Are cash receipting duties performed by an employee not responsible for maintaining accounts receivable records?
  5. Are the duties of employees connected with the cash receipts function rotated periodically through vacations, etc.?
  6. Is responsibility for cash receipts fixed from the time they are received until sent to the bank?  (i.e., Does adequate accountability exist to identify who is responsible for cash at any given time?)
  7. Are deposits compared on a daily basis to cash register totals (or pre-numbered receipt forms) by someone other than the employee initially receiving cash?
  8. Are all voids properly approved by someone other than employees collecting cash and preparing deposits?
  9. Are cash overages or shortages reported on Deposit Transmittal Forms?
  10. Are employees prohibited from using cash receipts to make cash disbursements?
  11. Are adequate physical facilities (i.e., a safe for large amounts, a locked device within a secured office for smaller amounts) provided for safeguarding cash until it can be deposited?
  12. Are cash receipts deposited intact on a daily basis? (When collections are less than $200, deposits may be made on a weekly basis.)
  13. Are JMU Deposit Transmittal Forms prepared and signed for each deposit?
  14. Are JMU Deposit Transmittal Forms and supporting documentation approved by an employee not involved with the cash receipting process?
  15. Are FIS Summary Financial Reports and Monthly Detail Reports reconciled to supporting documentation by the department?
  16. Does the department maintain (and provide employees with) detailed written procedures for cash receipting?
  17. Are refunds and returns approved by management?

Petty Cash & Change Funds

  1. Has the department received approval from the University Business Office (UBO) for the amount of change funds maintained?
  2. Are change funds used exclusively for making change?
  3. Is cashing of checks out of change funds prohibited?
  4. Are change funds adequately secured in a locked device (e.g., a safe for large amounts, a locked device within a secured office for smaller amounts)?
  5. Are safe combinations and keys to cash boxes restricted to a minimum number of employees?
  6. Are change funds periodically reconciled to the authorized fund balance by someone other than the fund custodian?
  7. Is the amount of the change fund periodically evaluated to ensure that the amount of the fund is not excessive?
  8. Are new Change Fund Request Forms submitted to UBO each time the fund custodian changes?

Accounts Receivable

  1. Are accounts billed in a timely manner (within 5 days after goods or services are provided)?
  2. Is an accurate record of accounts receivable maintained and summarized in a control account (i.e., a cumulative receivable total updated for daily billings and receipts)?
  3. Is the accounts receivable control account periodically reconciled to detailed accounts receivable?
  4. Are accounts receivable aged trial balances routinely prepared?
  5. Do trial balances include realistic estimates of doubtful accounts?  Are accounts that should be written off identified?
  6. Is a record of year-end receivable balances prepared with comparisons to prior year's reports?
  7. Are the duties of recording/monitoring accounts receivable segregated from cash-receipting duties?
  8. Are university procedures followed to ensure collection of delinquent accounts (i.e., billed monthly for the first 90 days then reported to UBO for inclusion in the State Debt Set-off Program or referral to a collection agency or the Attorney General's Office)?  

Payroll

General
  1. Does the department maintain accurate, detailed time records (timecards or timesheets) signed by employees?
  2. Are hours worked per detailed records accurately entered in the JMU Time Entry panel in the Human Resources Management System (HRMS)?
  3. Does the department head or designee (per Signature Authorization listings) approve time entered in the JMU Time Entry panel?
  4. Does the department properly complete I-9 forms before allowing employees to work?
  5. Are detailed payroll records retained and adequately secured in the department?
Wage Employees
  1. Are Personnel Action Request (PAR or ePAR) forms indicating pay rate properly prepared and approved by appropriate officials before a wage employee commences work?
  2. Is overtime approved by supervisors before time is worked and are overtime hours accurately entered in the JMU Time Entry panel?
  3. Are non-exempt employees compensated in accordance with the Fair Labor Standards Act (FLSA)?
  4. Are hours worked by wage employees monitored and limited to working 1,500 hours in each 12-months period from April 1 to May 30?  
  5. Does the department complete PAR (or ePAR) forms in a timely manner to notify Human Resources of terminations?
Student Employees
  1. Are pay rates exceeding the Student Employment Wage Scale properly approved in advance by the Student Employment Office?
  2. Are student employees in a degree-seeking program at JMU?
  3. Does the department monitor total hours worked per semester to ensure that students do not exceed 20 hours/week when enrolled in classes during the academic year?
  4. Does the department inform the Student Employment Office of resignations in a timely manner?
  5. Does the department permit students to work only after receiving approval from the Student Employment Office?
  6. Does the department provide the Student Employment Office with job descriptions for each position?
  7. Does the department monitor hours worked to ensure that students do not exceed authorized award amounts?
Classified Payroll
  1. Are PAR (or ePAR) forms properly prepared and approved by appropriate officials for all personnel actions (hires, terminations, transfers, etc.)?
  2. Do supervisors ensure that leave is accurately reported to Human Resources?
  3. Are non-exempt employees compensated in accordance with the Fair Labor Standards Act (FLSA)?

Purchasing/Expenditures

  1. Are eVA requisitions submitted for Procurement Services’ approval for all purchases of $10,000 or more?
  2. Does the department contact Procurement Services to make restricted purchases? (See Section 7005 of the Financial Procedures Manual.)
  3. Are items available on State contract purchased from the contract vendor unless:
    • the contract does not meet the delivery requirements;
    • the contract products quality exceeds or does not meet the JMU's needs; or
    • the contract product cost exceeds the cost of the product available on the open market?
  4. For purchases of $10,000 or more, are receiving reports completed by someone other than the individual originating the purchase?
  5. Are purchases made with the Small Purchase Charge Card (SPCC) limited to official, non-restricted purchases less than $10,000? (See Financial Procedures Manual Section 4220 for details.)
  6. Does the department maintain current, approved Delegation Agreements for each employee authorized to use the SPCC?
  7. Does the department head/approving authority ensure that SPCC statements have been reconciled to purchase log and supporting documentation?
  8. Does the department head/approving authority certify that all purchases are correct and valid state expenses? (Approval should be evidenced by the appropriate signature on SPCC Statement Cover Sheet for Payment.)
  9. Are Small Purchase Charge Cards (and account numbers) kept in a secure location by cardholders?
  10. Are Small Purchase Charge Cards returned to Cash and Investments when employees terminate employment or transfer?
  11. Are purchases that are expected to exceed $10,000 annually and contracts exceeding $10,000 (including those that span more than one year) purchased on a university purchase requisition?
  12. Is order-splitting (to circumvent spending limits) prohibited?
  13. Are expenditures recorded on FIS Summary Financial Reports and Monthly Detail Reports reconciled to supporting documentation each month?

Travel

  1. Are International Travel Authorization forms completed and approved prior to international travel?
  2. Is domestic travel approved in advance by an Approving Authority (president, vice president, assistant vice president, dean, assistant/associate dean, director or department head for the Department ID?)
  3. When five or more employees plan to attend a seminar, workshop or training program, does the department investigate alternatives (e.g., bringing a trainer on site, teleconferencing, etc.) and complete a written cost/benefit analysis to justify the travel?
  4. Does the department use travel agencies under contract with the university?
  5. Is mileage claimed for reimbursement calculated in accordance with the Financial Procedures Manual Section 4215?
  6. Does the department ensure that travelers adhere to Virginia State and university limits for lodging, meals, and incidental expenses?
  7. Are travel charge cards used only for reimbursable, travel-related expenses incurred while traveling and conducting official State business? 
  8. Do department employees pay travel card balances in a timely manner?
  9. Are travel reimbursement vouchers properly completed, approved and submitted (along with supporting documentation) in Chrome River in a timely manner?

Inventory

Inventory Records
  1. Are receipts and issuances recorded in inventory records in a timely manner?
  2. Are inventory records maintained or checked by an employee other than the employee who has custody of the inventory?
  3. Are inventory requisition forms properly completed, approved and retained for all inventory issuances?
Physical Counts
  1. Is a periodic physical count performed by persons other than those who maintain custody of the inventory and/or inventory records?
  2. Are written procedures for physical counts prepared and properly approved?
  3. Are physical counts supervised by a responsible official?
  4. Are items not to be included in the count segregated from the items to be counted?
  5. Are pre-numbered count tags used to ensure that all inventory items have been accounted for?
  6. Are arrangements made to prevent missing or double counting items during the physical inventory?
  7. Is investigation of differences between physical counts and inventory records performed or checked by persons other than those who maintain custody of the inventory and/or inventory records?
  8. Do procedures ensure that an accurate count and valuation is transmitted to Financial Reporting at the end of the fiscal year?
  9. Are physical inventory quantities priced, extended and summarized by someone other than those who maintain custody of the inventory and/or inventory records?

Equipment/Fixed Assets

  1. Are transfers/disposal of equipment approved by the department head or approving authority and submitted on the Equipment Inventory Change Request Form to Fixed Assets and Surplus Property?
  2. Does the department conduct an annual physical inventory of equipment in conjunction with Fixed Assets and Surplus Property?
  3. Does the department prohibit individuals from using, borrowing or removing university property for personal or private purposes?
  4. When it is necessary to remove university property form campus (e.g., to work at home), does the department require the written approval of a director, department head, dean, associate/assistant vice president or vice president?

Accomplishment of Goals and Objectives

  1. Does the department have an operating plan to accomplish its goals?
  2. Have departmental goals and objectives been established?
  3. Have goals and objectives been formally approved and documented?
  4. Are the objectives prioritized according to importance?
  5. Is a written report of accomplishments and non-accomplishments reviewed with management?
  6. Are there written status reports issued to monitor accomplishment of goals and objectives?
  7. Has management established operating or work standards that can be used to measure departmental performance?

Information Security 

General
  1. Are employees aware of the University Policies pertaining to information security?
  •   Appropriate use of information technology resources?
  •   Appropriate data stewardship?  

    2. Do departmental procedures address the following:

  •  Information disposal - shred sensitive documents, wipe hard drives prior to sending old workstations to  surplus, etc.
  •  Information distribution - confidential information must not be shared electronically, protected data should be encrypted, etc.
  •  Information storage - confidential information must not be stored on workstations
Systems Access and Password Management
  1. Are employees aware that they must not share their password?
  2. Are their procedures for facilitating the process for requesting the removal of access to university systems?
  3. Are employee’s access levels reviewed periodically?
  4. Do departmental procedures prohibit writing passwords on or near workstations?
Workstation Security
  1. Has departmental management designated a person as a workstation administrator for the department or does everyone have administrator-level access to their own workstations?
  2. Are surge protectors used on all workstations?
  3. Are workstations' hard drives encrypted to protect sensitive information?
Contingency Management Plan (Business Continuity Plans)
  1. Has a contingency plan been developed and documented?
  2. Has the contingency plan been tested on a periodic basis (annually or semi-annually)?
Input Controls

Is there appropriate segregation of duties to ensure that an employee does not perform more than one of the following operations?

  •  Data origination
  •  Data input
  •  Data input verification

Security Awareness

  1. If the department has any external requirements for information security, does the department provide information on these requirements to employees?
  2. Are all newly hired employees required to attend university security awareness training?
  3. Do departmental procedures contain the following instructions:
    • Physical Access Controls - Keeping keys under control, not allowing piggybacking into restricted areas, escorting visitors.
    • Information Storage - Locking up sensitive information when not in use, protecting essential information from destruction.
    • Information Distribution - Packaging sensitive information for mailing, using special messengers or couriers, verifying caller identity before revealing information.
    • Information Disposal - Shredder location and use, using special locked containers for sensitive trash, enforcing classified-waste disposal program.
    • Authorization - Who should authorize transactions and when, the importance of verifying authorization signatures.
    • Errors - Error prevention, detection, and correction, use of balancing reports or control totals, what to do if an error cannot be corrected using standard procedures.
    • Personal Conduct - The importance of not discussing controlled information or the methods used to control it.
    • Disaster Recovery & Alternative Procedures - Each employee's responsibilities in an emergency, special recovery team's responsibilities, who is in charge of those teams.
    • Information Classification - Types of data (e.g., public, internal general, or internal restricted) managed by the department.

Back to Top