JMU CONTROL SELF-ASSESSMENT

 The JMU Control Self-Assessment is not an all-inclusive list of internal controls. Internal controls must be tailored to fit specific processes in each department. Instead, this self-assessment should be used as a general guide to help managers ensure basic internal controls are in place. A "yes" answer indicates that a desired control is in place; a "no" answer indicates that a control weakness may be present, and corrective action may be necessary. Keep in mind that some questions may not be applicable to all operations.

If you have any questions, please call Audit and Management Services at ext. 86400.    

General Controls 

  1. Does the department maintain written, up-to-date departmental procedures? 
  2. Does the department have an up-to-date copy of the JMU Financial Procedures Manual? 
  3. Are all employees aware of University Policies and Procedures maintained on the University's home page? 

Cash Receipts 

  1. Are cash receipts entered into a cash register (or are recorded on pre-numbered receipt forms) with a receipt copy given to the payer? 
  2. Is a restrictive endorsement placed on incoming checks as soon as received? 
  3. Are all checks made payable to the University? 
  4. Are cash receipting duties performed by an employee not responsible for maintaining accounts receivable records? 
  5. Are the duties of employees connected with the cash receipts function rotated periodically through vacations, etc.? 
  6. Is responsibility for cash receipts fixed from the time they are received until sent to the bank?  (i.e. Does adequate accountability exist to identify who is responsible for cash at any given time?)
  7. Are deposits compared on a daily basis to cash register totals (or pre-numbered receipt forms) by someone other than the employee initially receiving cash? 
  8. Are all voids properly approved by someone other than employees collecting cash and preparing deposits? 
  9. Are cash overages or shortages reported on Deposit Transmittal Forms?
  10. Are employees prohibited from using cash receipts to make cash disbursements?
  11. Are adequate physical facilities (i.e., a safe for large amounts, a locked device within a secured office for smaller amounts) provided for safeguarding cash until it can be deposited? 
  12. Are cash receipts deposited intact on a daily basis? (When collections are less than $200, deposits may be made on a weekly basis.) 
  13. Are JMU Deposit Transmittal Forms prepared and signed for each deposit? 
  14. Are JMU Deposit Transmittal Forms and supporting documentation approved by an employee not involved with the cash receipting process? 
  15. Are FIS Summary Financial Reports reconciled to supporting documentation by the department?
  16. Does the department maintain (and provide employees with) detailed written procedures for cash receipting?
  17. Are refunds and returns approved by management?

 Petty Cash Change Funds 

  1. Has the department received approval from the Cashier's Office for the amount of change funds maintained? 
  2. Are change funds used exclusively for making change? 
  3. Is cashing of checks out of change funds prohibited? 
  4. Are change funds adequately secured in a locked device (e.g., a safe for large amounts, a locked device within a secured office for smaller amounts)? 
  5. Are safe combinations and keys to cash boxes restricted to a minimum number of employees? 
  6. Are change funds periodically reconciled to the authorized fund balance by someone other than the fund custodian?
  7. Is the amount of the change fund periodically evaluated to ensure that the amount of the fund is not excessive?
  8. Are new Permanent Petty Cash Forms submitted to the Cashier's Office each time the fund custodian changes?

Accounts Receivable 

  1. Are accounts billed in a timely manner (within 5 days after goods or services are provided)? 
  2. Is an accurate record of accounts receivable maintained and summarized in a control account (i.e., a cumulative receivable total updated for daily billings and receipts)?
  3. Is the accounts receivable control account periodically reconciled to detailed accounts receivable? 
  4. Are accounts receivable aged trial balances routinely prepared?
  5. Do trial balances include realistic estimates of doubtful accounts and an identification of accounts that should be written off? 
  6. Is a record of year-end receivable balances prepared with comparisons to prior year's reports? 
  7. Are the duties of recording/monitoring accounts receivable segregated from cash receipting duties? 
  8. Are adequate procedures followed to ensure collection of delinquent accounts (i.e., billed monthly for the first 90 days then reported to the Cashiers Office for referral to a collection agency or the Attorney General's Office)?  

Student/Temporary Payroll 

    General 

  1. Does the department maintain accurate, detailed time records (timecards or timesheets) signed by employees? 
  2. Are hours worked per detailed records summarized on the JMU Departmental Timesheet? 
  3. Does the department head or designee (per signature cards) approve the JMU Departmental Timesheet to certify that work was performed by employees? 
  4. Does the department properly complete I-9 forms before allowing employees to work? 
  5. Are detail payroll records retained and adequately secured in the department? 

    6. Temporary Employees 

  6. Are Personnel Action Request (PAR) forms indicating pay rate properly prepared and approved by appropriate officials before a temporary employee commences work? 
  7. Is overtime approved by supervisors before time is worked and documented in a memo sent to Payroll Accounting? 
  8. Are non-exempt employees compensated in accordance with the Fair Labor Standards Act (FLSA)? 
  9. Are hours worked by wage employees monitored and limited to working 1,500 hours in a 365 day period? 
  10. Does the department complete PAR forms in a timely manner to notify Human Resources of terminations? 

    Student Employees-general 

  1. Are pay rates exceeding the Student Employment Wage Scale properly approved by Student Employment Advisory Committee? 
  2. Are student employees in a degree-seeking program at JMU? 
  3. Are students prohibited from working more than 40 hours/week? 
  4. Does the department monitor total hours worked per semester to ensure that students do not exceed 20 hours/week?
  5. Does the department inform the Student Employment Office of resignations in a timely manner? 

    College Work Study 

  1. Does the department permit students to work only after receiving proper notification (i.e. payroll employment notice) from the Student Employment Office? 
  2. Does the department provide the Student Employment Office with job descriptions for each position? 
  3. Does the department monitor hours worked to ensure that students do not exceed authorized award amounts? 

    4. Institutional Employment 

  4. Does the department permit students to work only after an Institutional Employment Contract has been properly completed? 

Classified Payroll 

  1. Are PAR forms properly prepared and approved by appropriate officials for all personnel actions (hires, terminations, transfers, etc.)? 
  2. Do supervisors ensure that leave is accurately reported to Human Resources? 
  3. Are non-exempt employees compensated in accordance with the Fair Labor Standards Act (FLSA)? 

Purchasing/Expenditures 

  1. Are purchasing requisitions prepared and submitted to Procurement for all purchases over $5,000? 
  2. Are purchasing requisitions prepared and submitted to Procurement for the following restricted purchases: 

    3. a. furniture not purchased from Virginia Correctional Enterprises?
    b. unapproved printing?
    c. narcotics or dangerous drugs?
    d. alcoholic beverages?
    e. firearms and ammunition?
    f. property leases?
    g. purchases from a state employee?
    h. cellular phones?
    i. professional services?
    j. non-professional services that require other Commonwealth approvals? 

  3. Are additional approvals obtained for the following restricted purchases:  

    4. a. copier rentals (information must be captured for Accounting & Reporting)?
    b. vehicles (require Commonwealth approval)?
    c. construction/renovation (require Facilities Management approval)?
    d. air conditioners (require Facilities Management approval)?
    e. consultants? 

  4. Are items available on State contract purchased from the contract vendor unless: 

    5. a. the contract does not meet the delivery requirements;
    b. the contract products quality exceeds or does not meet the JMU's needs; or
    c. the contract product cost exceeds the cost of the product available on the open market? 

  5. For purchases not restricted (see questions 2 - 4 above), are Departmental Purchase Orders (DPO's) properly completed and approved for purchases less than $5,000? 
  6. Are goods received (and receiving report completed) by someone other than the individual approving the purchase? 
  7. Are purchases made with the Departmental Purchase Credit Card limited to official University purchases up to $2,000? 
  8. Does the department maintain current, approved Delegation Agreements for each employee authorized to use the Purchase Credit Card? 
  9. Does the department head/approving authority reconcile AMEX Credit Card Statements to the Department Purchasing Log and supporting documentation? 
  10. Are charges to departmental accounts approved by the department head/approving authority? (Approval should be evidenced by approving signature on the Statement Cover Sheet for Payment to AMEX.) 
  11. Are Purchase Credit Cards (and account numbers) kept in a secure location by cardholders? 
  12. Are Purchase Credit Cards returned to Accounting and Reporting when employees terminate employment or transfer? 
  13. Are purchases that are expected to exceed $5,000 annually and contracts exceeding $5,000 (including those that span more than one year) purchased on a University purchase requisition? 
  14. Are expenditures recorded on FIS Summary Financial Reports reconciled to supporting documentation each month? 

Travel 

  1. Are Travel Authorization forms completed and approved prior to overnight travel or one day trips exceeding $500? 
  2. Is travel to conventions and conferences limited to two employees or justification approved by the division head? 
  3. Are cost benefit analyses performed to justify travel by five or more employees to attend training, workshops, etc.? 
  4. Does the department utilize travel agencies under contract with JMU or submit a cost justification if another agency is used? 
  5. Is mileage claimed for reimbursement calculated in accordance with the JMU Financial Procedures Manual? 
  6. Does the department ensure that travelers adhere to State and University limits for lodging, meals, and incidental expenses? 
  7. Are travel charge cards used only for reimbursable expenses incurred while conducting official State business?  
  8. Do department employees pay travel card balances in a timely manner? 
  9. Are travel reimbursement vouchers properly completed, approved and submitted (along with supporting documentation) to Accounts Payable in a timely manner? 
  10. Are "Out of the Country Travel Approval" forms completed when departments personnel travel outside the U.S.?

Inventory 

    Inventory Records 

  1. Are receipts and issuances recorded in inventory records in a timely manner? 
  2. Are inventory records maintained or checked by an employee other than the employee who has custody of the inventory. 
  3. Are inventory requisition forms properly completed, approved and retained for all inventory issuances? 

    4. Physical Counts 

  4. Is a periodic physical count performed by persons other than those who maintain custody of the inventory and/or inventory records? 
  5. Are written procedures for physical counts prepared and properly approved? 
  6. Are physical counts supervised by a responsible official? 
  7. Are items not to be included in the count segregated from the items to be counted? 
  8. Are pre-numbered count tags used to ensure that all inventory items have been accounted for? 
  9. Are arrangements made to prevent missing or double counting items during the physical inventory? 
  10. Is investigation of differences between physical counts and inventory records performed/checked by persons other than those who maintain custody of the inventory and/or inventory records? 
  11. Do procedures ensure that an accurate count and valuation is transmitted to Accounting and Reporting at year end?  
  12. Are physical inventory quantities priced, extended and summarized by someone other than those who maintain custody of the inventory and/or inventory records? 

Equipment/Fixed Assets 

  1. Are transfers/disposal of equipment approved by the dean or department head and submitted on the Equipment Transfer Form to Accounting & Reporting? 
  2. Does the department conduct an annual physical inventory of equipment, compare the results of the inventory to FAACS reports, and submit the Equipment Certification Report to Accounting and Reporting? 
  3. Does the department have procedures to control equipment taken off campus by employees (i.e., to work at home)? 

Information Security Access and Password Management 

  1. For multi-user systems, has a System Administrator been assigned and registered with the University's Information Technology department? 
  2. Do documented user request procedures require the completion of a user request form which is approved by the appropriate management level?  
  3. Do procedures exist which require the deactivation of a user ID not used in more than specified period of inactivity? 
  4. Do departmental user procedures define the employee termination/transfer process? 
  5. Do user ID's issued to temporary and any non-full time faculty and staff personnel have an expiration period assigned to them? 
  6. Are users logged-off automatically after a specified period of inactivity? 
  7. Do written procedures require that access levels be determined by job duties? 
  8. Do procedures require that the department review changes to access levels after changes have been made by someone other than the person that made the change? 
  9. Are the access capabilities of employees periodically validated? 
  10. Are all users assigned a unique user identification code? 
  11. Are passwords used to verify users? 
  12. Are employees prohibited from sharing passwords with other users? 
  13. Do departmental procedures require passwords to be at least 6 characters in length? 
  14. Do departmental procedures require that passwords contain both alpha and numeric characters? 
  15. Does the system prevent a user from selecting a new password that is the same as the user's old password? 
  16. Do departmental procedures require changes to passwords be based on a set interval? 
  17. Are passwords masked when entered so that no one is able to see the password when entered? 
  18. Do software controls exist which detect and prevent repeated attempts to log-on to the operating or application and guess passwords?  
  19. Does the operating system or application prohibit further log-on attempts after a set level of unsuccessful attempts have been made? 

Workstation Security 

  1. Has departmental management designated a person responsible for coordinating workstation security? 
  2. Do departmental procedures require users to log-off if a workstation will be left unattended for a specified time period? 
  3. Is a log maintained of all departmental personnel authorized to use a workstation? 
  4. Are workstations protected from power fluctuations and outages via the use of surge protectors or uninterruptible power supplies (UPS)? 
  5. Are identification numbers, serial numbers and equipment descriptions recorded and stored in a secure location in the department or elsewhere at the University? 
  6. Are workstations located in areas that are physically secure and access to these areas restricted before and after normal business hours?  
  7. Do the following housekeeping rules apply to workstations: limited storage of combustible supplies in adjacent areas? frequent disposal of waste and paper or wrapping materials to minimize fire hazard? 
  8. Does the department have procedures to deactivate, in a timely manner, log-ins to applications systems when personnel terminate or transfer? 
  9. Do departmental procedures prohibit writing passwords on or near the workstations or work areas (i.e., in plain view)? 
  10. If sensitive information systems reside on a workstation, is data access control system software installed on the workstations to prevent unauthorized access to data and programs on the workstations? 

Contingency Management Plan 

  1. Has a contingency plan been developed and documented? 
  2. Has the contingency plan been tested at a frequency commensurate with the risk? 
  3. Does the contingency plan address alternative procedures? 

Security Awareness 

  1. Has departmental management established a security awareness and training program to ensure that all individuals involved in the use of information technology are aware of : a) what should be protected, b) required employee actions and security responsibilities, and c) procedures to follow when a problem is discovered? 
  2. If the department has any external requirements for information security, does the department provide information on these requirements to employees? 
  3. Does the department update employees on revisions to University policies and/or departmental procedures related to information security? 
  4. Are all newly hired employees required to attend University security awareness training? 
  5. Do departmental procedures contain the following instructions: 

a. Password Management - For password selection and change, rules against sharing passwords, password     holder's accountability for its use. 

b. Physical Access Controls - Keeping keys under control, not allowing piggybacking into restricted areas, escorting visitors. 

c. Information Storage - Locking up sensitive information when not in use, protecting essential information from destruction. 

d. Information Distribution - Packaging sensitive information for mailing, using special messengers or couriers, verifying caller identity before revealing information. 

e. Information Disposal - Shredder location and use, using special locked containers for sensitive trash, enforcing classified-waste disposal program. 

f. Authorization - Who should authorize transactions and when, the importance of verifying authorization signatures. 

g. Errors - Error prevention, detection, and correction, use of balancing reports or control totals, what to do if an error cannot be corrected using standard procedures. 

h. Personal conduct - The importance of not discussing controlled information or the methods used to control it. 

i. Disaster Recovery & Alternative Procedures - Each employee's responsibilities in an emergency, special recovery team's responsibilities, who is in charge of those teams. 

j. Information Classification - types of data (e.g., public, internal general, or internal restricted) managed by the department. 
  1. Has departmental management established virus prevention and detection procedures for all departmental workstations and standalone microcomputers? 
  2. Has departmental management selected a person to administer virus prevention and detection procedures for all departmental workstations and stand alone microcomputers? 
  3. Has anti-virus software been implemented on all workstations and standalone microcomputers? 
  4. Do procedures require:

    a. The departmental administrator to promptly implement anti-virus software upgrades?

    b. Employees immediately notify the departmental administrator of a virus?

    c. Employees run only approved software on workstations?

 Input Controls 

  1. Are there documented procedures for entering information into systems (e.g., terminal user guides or user manuals)? 
  2. Is there segregation of duties to ensure that no individual performs more than one of the following operations? 

    3. a. data origination 

    b. data input 

    c. report distribution within the department 

  3. Can messages and data be traced back to the user or point of origin? 
  4. Are there sufficient edits to ensure that data is recorded in the proper field, format, etc.? 
  5. Are error messages produced for each data field that does not meet edit requirements and are errors displayed or printed immediately on detection for immediate correction by the terminal operator? 
  6. Are all personnel prevented from overriding or bypassing data validation and editing errors, or are these capabilities limited to appropriate supervisory personnel? 
  7. Do error messages provide clear, understandable, cross-referenced corrective actions for each type of error? 
  8. Do documented procedures explain how to identify, correct, and reprocess data rejected by the application? 
  9. Are detail transaction reports or reports with control totals produced and reviewed by an employee not responsible for entering information so that critical data can be verified to source documents for accuracy and completeness? 

Accomplishment of Goals and Objectives 

  1. Does the department have an operating plan to accomplish its goals? 
  2. Have departmental goals and objectives been established? 
  3. Have goals and objectives been formally approved and documented? 
  4. Are the objectives prioritized according to importance? 
  5. Is a written report of accomplishments and non-accomplishments reviewed with management? 
  6. Are there written status reports issued to monitor accomplishment of goals and objectives? 
  7. Has management established operating or work standards that can be used to measure departmental performance?
    8.