JMU CONTROL SELF-ASSESSMENT
The JMU Control Self-Assessment is not an all-inclusive list of
internal controls. Internal controls must be tailored to fit specific processes in
each department. Instead, this self-assessment should be used as a general guide
to help managers ensure basic internal controls are in place. A "yes"
answer indicates that a desired control is in place; a "no" answer
indicates that a control weakness may be present, and corrective action may be
necessary. Keep in mind that some questions may not be applicable to all
If you have any questions, please call Audit and
Management Services at ext. 86400.
- Does the department maintain written, up-to-date departmental procedures?
- Does the department have an up-to-date copy of the JMU Financial Procedures
- Are all employees aware of University Policies and Procedures maintained on
the University's home page?
- Are cash receipts entered into a cash register (or are recorded on
pre-numbered receipt forms) with a receipt copy given to the payer?
- Is a restrictive endorsement placed on incoming checks as soon as received?
- Are all checks made payable to the University?
- Are cash receipting duties performed by an employee not responsible for
maintaining accounts receivable records?
- Are the duties of employees connected with the cash receipts function
rotated periodically through vacations, etc.?
- Is responsibility for cash receipts fixed from the time they are received
until sent to the bank? (i.e. Does adequate accountability exist to
identify who is responsible for cash at any given time?)
- Are deposits compared on a daily basis to cash register totals
(or pre-numbered receipt forms) by someone other than the employee initially
- Are all voids properly approved by someone other than employees collecting
cash and preparing deposits?
- Are cash overages or shortages reported on Deposit Transmittal Forms?
- Are employees prohibited from using cash receipts to make cash
- Are adequate physical facilities (i.e., a safe for large amounts, a locked
device within a secured office for smaller amounts) provided for
safeguarding cash until it can be deposited?
- Are cash receipts deposited intact on a daily basis? (When collections are
less than $200, deposits may be made on a weekly basis.)
- Are JMU Deposit Transmittal Forms prepared and signed for each deposit?
- Are JMU Deposit Transmittal Forms and supporting documentation approved by
an employee not involved with the cash receipting process?
- Are FIS Summary Financial Reports reconciled
to supporting documentation by the department?
- Does the department maintain (and provide employees with) detailed written
procedures for cash receipting?
- Are refunds and returns approved by management?
Petty Cash Change Funds
- Has the department received approval from the Cashier's Office for the
amount of change funds maintained?
- Are change funds used exclusively for making change?
- Is cashing of checks out of change funds prohibited?
- Are change funds adequately secured in a locked device (e.g., a safe for
large amounts, a locked device within a secured office for smaller
- Are safe combinations and keys to cash boxes restricted to a minimum
number of employees?
- Are change funds periodically reconciled
to the authorized fund balance by someone other than the fund custodian?
- Is the amount of the change fund periodically evaluated to ensure that the
amount of the fund is not excessive?
- Are new Permanent Petty Cash Forms submitted to the Cashier's Office each
time the fund custodian changes?
- Are accounts billed in a timely manner (within 5 days after goods or
services are provided)?
- Is an accurate record of accounts receivable maintained and summarized in a
control account (i.e., a cumulative receivable total updated for daily
billings and receipts)?
- Is the accounts receivable control account periodically reconciled to
detailed accounts receivable?
- Are accounts receivable aged trial balances routinely prepared?
- Do trial balances include realistic estimates of doubtful accounts and an
identification of accounts that should be written off?
- Is a record of year-end receivable balances prepared with comparisons to
prior year's reports?
- Are the duties of recording/monitoring accounts receivable segregated from
cash receipting duties?
- Are adequate procedures followed to ensure collection of delinquent accounts
(i.e., billed monthly for the first 90 days then reported to the Cashiers
Office for referral to a collection agency or the Attorney General's Office)?
- Does the department maintain accurate, detailed time records (timecards or
timesheets) signed by employees?
- Are hours worked per detailed records summarized on the JMU Departmental
- Does the department head or designee (per signature cards) approve the JMU
Departmental Timesheet to certify that work was performed by employees?
- Does the department properly complete I-9 forms before allowing employees
- Are detail payroll records retained and adequately secured in the
- Are Personnel Action Request (PAR) forms indicating pay rate properly
prepared and approved by appropriate officials before a temporary employee
- Is overtime approved by supervisors before time is worked and documented
in a memo sent to Payroll Accounting?
- Are non-exempt employees compensated in accordance with the Fair Labor
Standards Act (FLSA)?
- Are hours worked by wage employees monitored and limited to working 1,500
hours in a 365 day period?
- Does the department complete PAR forms in a timely manner to notify Human
Resources of terminations?
- Are pay rates exceeding the Student Employment Wage Scale properly
approved by Student Employment Advisory Committee?
- Are student employees in a degree-seeking program at JMU?
- Are students prohibited from working more than 40 hours/week?
- Does the department monitor total hours worked per semester to ensure that
students do not exceed 20 hours/week?
- Does the department inform the Student Employment Office of resignations
in a timely manner?
- Does the department permit students to work only after receiving proper
notification (i.e. payroll employment notice) from the Student Employment
- Does the department provide the Student Employment Office with job
descriptions for each position?
- Does the department monitor hours worked to ensure that students do not
exceed authorized award amounts?
- Does the department permit students to work only after an Institutional
Employment Contract has been properly completed?
- Are PAR forms properly prepared and approved by appropriate officials for
all personnel actions (hires, terminations, transfers, etc.)?
- Do supervisors ensure that leave is accurately reported to Human
- Are non-exempt employees compensated in accordance with the Fair Labor
Standards Act (FLSA)?
- Are purchasing requisitions prepared and submitted to Procurement for all
purchases over $5,000?
- Are purchasing requisitions prepared and submitted to Procurement for the
following restricted purchases:
a. furniture not purchased from Virginia Correctional Enterprises?
b. unapproved printing?
c. narcotics or dangerous drugs?
d. alcoholic beverages?
e. firearms and ammunition?
f. property leases?
g. purchases from a state employee?
h. cellular phones?
i. professional services?
j. non-professional services that require other Commonwealth approvals?
- Are additional approvals obtained for the following restricted purchases:
a. copier rentals (information must be captured for Accounting &
b. vehicles (require Commonwealth approval)?
c. construction/renovation (require Facilities Management approval)?
d. air conditioners (require Facilities Management approval)?
- Are items available on State contract purchased from the contract vendor
a. the contract does not meet the delivery requirements;
b. the contract products quality exceeds or does not meet the JMU's needs; or
c. the contract product cost exceeds the cost of the product available on the
- For purchases not restricted (see questions 2 - 4 above), are Departmental
Purchase Orders (DPO's) properly completed and approved for purchases less
- Are goods received (and receiving report completed) by someone other than
the individual approving the purchase?
- Are purchases made with the Departmental Purchase Credit Card limited to
official University purchases up to $2,000?
- Does the department maintain current, approved Delegation Agreements for
each employee authorized to use the Purchase Credit Card?
- Does the department head/approving authority reconcile AMEX Credit Card
Statements to the Department Purchasing Log and supporting documentation?
- Are charges to departmental accounts approved by the department
head/approving authority? (Approval should be evidenced by approving signature
on the Statement Cover Sheet for Payment to AMEX.)
- Are Purchase Credit Cards (and account numbers) kept in a secure location by
- Are Purchase Credit Cards returned to Accounting and Reporting when
employees terminate employment or transfer?
- Are purchases that are expected to exceed $5,000 annually and contracts
exceeding $5,000 (including those that span more than one year) purchased on a
University purchase requisition?
- Are expenditures recorded on FIS Summary Financial Reports reconciled to
supporting documentation each month?
- Are Travel Authorization forms completed and approved prior to overnight
travel or one day trips exceeding $500?
- Is travel to conventions and conferences limited to two employees or
justification approved by the division head?
- Are cost benefit analyses performed to justify travel by five or more
employees to attend training, workshops, etc.?
- Does the department utilize travel agencies under contract with JMU or
submit a cost justification if another agency is used?
- Is mileage claimed for reimbursement calculated in accordance with the JMU
Financial Procedures Manual?
- Does the department ensure that travelers adhere to State and University
limits for lodging, meals, and incidental expenses?
- Are travel charge cards used only for reimbursable expenses incurred while
conducting official State business?
- Do department employees pay travel card balances in a timely manner?
- Are travel reimbursement vouchers properly completed, approved and
submitted (along with supporting documentation) to Accounts Payable in a
- Are "Out of the Country Travel Approval" forms completed when
departments personnel travel outside the U.S.?
- Are receipts and issuances recorded in inventory records in a timely
- Are inventory records maintained or checked by an employee other than the
employee who has custody of the inventory.
- Are inventory requisition forms properly completed, approved and retained
for all inventory issuances?
- Is a periodic physical count performed by persons other than those who
maintain custody of the inventory and/or inventory records?
- Are written procedures for physical counts prepared and properly approved?
- Are physical counts supervised by a responsible official?
- Are items not to be included in the count segregated from the items to be
- Are pre-numbered count tags used to ensure that all inventory items have
been accounted for?
- Are arrangements made to prevent missing or double counting items during
the physical inventory?
- Is investigation of differences between physical counts and inventory
records performed/checked by persons other than those who maintain custody
of the inventory and/or inventory records?
- Do procedures ensure that an accurate count and valuation is transmitted
to Accounting and Reporting at year end?
- Are physical inventory quantities priced, extended and summarized by
someone other than those who maintain custody of the inventory and/or
- Are transfers/disposal of equipment approved by the dean or department
head and submitted on the Equipment Transfer Form to Accounting &
- Does the department conduct an annual physical inventory of equipment,
compare the results of the inventory to FAACS reports, and submit the
Equipment Certification Report to Accounting and Reporting?
- Does the department have procedures to control equipment taken off campus
by employees (i.e., to work at home)?
Information Security Access and Password
- For multi-user systems, has a System Administrator been assigned and
registered with the University's Information Technology department?
- Do documented user request procedures require the completion of a user
request form which is approved by the appropriate management level?
- Do procedures exist which require the deactivation of a user ID not used
in more than specified period of inactivity?
- Do departmental user procedures define the employee termination/transfer
- Do user ID's issued to temporary and any non-full time faculty and staff
personnel have an expiration period assigned to them?
- Are users logged-off automatically after a specified period of inactivity?
- Do written procedures require that access levels be determined by job
- Do procedures require that the department review changes to access levels
after changes have been made by someone other than the person that made the
- Are the access capabilities of employees periodically validated?
- Are all users assigned a unique user identification code?
- Are passwords used to verify users?
- Are employees prohibited from sharing passwords with other users?
- Do departmental procedures require passwords to be at least 6 characters
- Do departmental procedures require that passwords contain both alpha and
- Does the system prevent a user from selecting a new password that is the
same as the user's old password?
- Do departmental procedures require changes to passwords be based on a set
- Are passwords masked when entered so that no one is able to see the
password when entered?
- Do software controls exist which detect and prevent repeated attempts to
log-on to the operating or application and guess passwords?
- Does the operating system or application prohibit further log-on attempts
after a set level of unsuccessful attempts have been made?
- Has departmental management designated a person responsible for
coordinating workstation security?
- Do departmental procedures require users to log-off if a workstation will
be left unattended for a specified time period?
- Is a log maintained of all departmental personnel authorized to use a
- Are workstations protected from power fluctuations and outages via the use
of surge protectors or uninterruptible power supplies (UPS)?
- Are identification numbers, serial numbers and equipment descriptions
recorded and stored in a secure location in the department or elsewhere at
- Are workstations located in areas that are physically secure and access to
these areas restricted before and after normal business hours?
- Do the following housekeeping rules apply to workstations: limited storage
of combustible supplies in adjacent areas? frequent disposal of waste and
paper or wrapping materials to minimize fire hazard?
- Does the department have procedures to deactivate, in a timely manner,
log-ins to applications systems when personnel terminate or transfer?
- Do departmental procedures prohibit writing passwords on or near the
workstations or work areas (i.e., in plain view)?
- If sensitive information systems reside on a workstation, is data access
control system software installed on the workstations to prevent
unauthorized access to data and programs on the workstations?
Contingency Management Plan
- Has a contingency plan been developed and documented?
- Has the contingency plan been tested at a frequency commensurate with the
- Does the contingency plan address alternative procedures?
- Has departmental management established a security awareness and training
program to ensure that all individuals involved in the use of information
technology are aware of : a) what should be protected, b) required employee
actions and security responsibilities, and c) procedures to follow when a
problem is discovered?
- If the department has any external requirements for information security,
does the department provide information on these requirements to employees?
- Does the department update employees on revisions to University policies
and/or departmental procedures related to information security?
- Are all newly hired employees required to attend University security
- Do departmental procedures contain the following instructions:
a. Password Management - For password selection and change, rules against
sharing passwords, password holder's accountability for its use.
b. Physical Access Controls - Keeping keys under control, not allowing
piggybacking into restricted areas, escorting visitors.
c. Information Storage - Locking up sensitive information when not in use,
protecting essential information from destruction.
d. Information Distribution - Packaging sensitive information for mailing,
using special messengers or couriers, verifying caller identity before
e. Information Disposal - Shredder location and use, using special locked
containers for sensitive trash, enforcing classified-waste disposal program.
f. Authorization - Who should authorize transactions and when, the
importance of verifying authorization signatures.
g. Errors - Error prevention, detection, and correction, use of balancing
reports or control totals, what to do if an error cannot be corrected using
h. Personal conduct - The importance of not discussing controlled
information or the methods used to control it.
i. Disaster Recovery & Alternative Procedures - Each employee's
responsibilities in an emergency, special recovery team's responsibilities,
who is in charge of those teams.
j. Information Classification - types of data (e.g., public, internal
general, or internal restricted) managed by the department.
- Has departmental management established virus prevention and detection
procedures for all departmental workstations and standalone microcomputers?
- Has departmental management selected a person to administer virus
prevention and detection procedures for all departmental workstations and
stand alone microcomputers?
- Has anti-virus software been implemented on all workstations and
- Do procedures require:
a. The departmental administrator to promptly implement anti-virus software
b. Employees immediately notify the departmental administrator of a virus?
c. Employees run only approved software on workstations?
- Are there documented procedures for entering information into systems
(e.g., terminal user guides or user manuals)?
- Is there segregation of duties to ensure that no individual performs more
than one of the following operations?
a. data origination
b. data input
c. report distribution within the department
- Can messages and data be traced back to the user or point of origin?
- Are there sufficient edits to ensure that data is recorded in the proper
field, format, etc.?
- Are error messages produced for each data field that does not meet edit
requirements and are errors displayed or printed immediately on detection
for immediate correction by the terminal operator?
- Are all personnel prevented from overriding or bypassing data validation
and editing errors, or are these capabilities limited to appropriate
- Do error messages provide clear, understandable, cross-referenced
corrective actions for each type of error?
- Do documented procedures explain how to identify, correct, and reprocess
data rejected by the application?
- Are detail transaction reports or reports with control totals produced and
reviewed by an employee not responsible for entering information so that
critical data can be verified to source documents for accuracy and
Accomplishment of Goals and Objectives
- Does the department have an operating plan to accomplish its goals?
- Have departmental goals and objectives been established?
- Have goals and objectives been formally approved and documented?
- Are the objectives prioritized according to importance?
- Is a written report of accomplishments and non-accomplishments reviewed
- Are there written status reports issued to monitor accomplishment of goals
- Has management established operating or work standards that can be used to
measure departmental performance?