Questionnaires

During the planning phase of an assurance audit, IACS may use an Internal Control Questionnaire (ICQ) to help evaluate internal controls in specific areas. By asking key questions, IACS often uses an ICQ as a starting point and then supplements it with other information-gathering and control evaluation techniques, such as flowcharting and documentation review.

Below are three common ICQs that, together with IACS staff, audit clients may use to help assess their operation.

Revenues and Receipts

This ICQ is used to evaluate internal controls associated with how revenue is generated, received, recorded, safeguarded, summarized, deposited, and reported.

Key Questions

• Does the Unit have procedures which accurately record revenue from all sources: cash, check, credit card charge, internal charge, etc.?
• Is separation of duties adequate?
• Is cash adequately safeguarded?
• Is there an adequate audit trail and reconciliation procedure for timely detection of shortages?
• Is this data reconciled to the revenue that is posted to the Organization's Accounting System?

Critical Internal Controls

General

• Documentation of every sale of goods or services with a cash register entry, a pre-numbered receipt form, an invoice, etc. Customers are issued a duplicate.
• A method for accumulating revenue such as a point of sale (POS) system.
• Balancing procedures, e.g., when cash registers are used.
• Sales are reconciled to deposits.
• Deposits are reconciled monthly to the Organization's accounting reports.
• Accounting for pre-numbered forms.
• Periodic management review of revenue data for trends such as: unexplained variations in sales or sales of certain product lines, changes in ratios such as inventory turnover or shrinkage, comparison of budgeted to actual revenue, etc.

Cash

• Delegation of authority to receive cash to a specific person(s).
• Cash receiving and cash accounting are separated.
• Adequate physical security over cash (during both storage and transfer).
• Timely deposits, made intact with no cash receipts retained, borrowed, or expended.
• Validation of the deposit slips.
• Comparison of credits on the Organization's accounting report with the validated deposit slips.
• Cash shortages are identified, followed, and collected.
• Cash overages are identified and deposited.
• Adequate supervision over cashiers, including cash handling, cash register balancing, and monitoring overs and shorts.

Key Compliance Requirements

• Requirement that the check be made out to Miami University, and be reviewed upon receipt for the following: payer's name, local address, and telephone number. Also, verification that the date is current, the written amount agrees with the numerical amount, and that the check is signed.
• Cash receiving and refunding cash duties are separated and refunds are independently authorized.
• Voided transactions are independently authorized by someone other than the person receiving the funds.
• Refunds and voids processed through the system are reconciled to the above independent authorizations.
• Cashiers do not have access to the total key of their registers.
• Procedures prohibit check cashing.
• Sales tax is collected and accounted for as required.
• Written instructions are available describing procedures.

Significant Risk Areas

• Revenues are not recorded.
• The fact that revenues are not recorded is not detected.
• Risk that theft will continue if not detected in a timely way.
• Risk of loss due to inability to place blame because controls do not require one fund/one custodian.

Payment Card Data Security

This ICQ is used to evaluate internal controls associated with the confidentiality, integrity, and security of University payment card transactions.

Key Questions

• How are credit card transactions made?
• At which locations/sites are credit card transactions processed?
• Are credit card numbers ever included in emails or attachments to emails?
• Does the credit card number have to be shared with any other departments?
• Do you distribute receipts outside the department? Why is this necessary? What information is included?
• Are the credit card numbers maintained? Is it the full number? For how long?
• Is credit card information stored in a customer database?
• Is credit card information stored in an electronic spreadsheet?
• Where are the physical and electronic records showing credit card numbers stored?
• How long are they stored?
• If so, is this on a University server? Has security been reviewed by IT Services?

Critical Internal Controls

• Credit card transactions must be made in person, by telephone, by mail or via a secure University-approved internet application.
• Credit card information is not accepted via email and such information is not sent to another department via email.
• Printed customer receipts that are distributed outside the department must show only the last four digits of the credit card number.
• Any unit wanting to store payment card data needs written approval from both the Chief Investment Officer and the Information Security Officer to do so. With those approvals, electronic payment card data can be stored for up to 60 days. If the unit needs to store electronic payment card data for a longer period of time, approval from the Assistant Vice President responsible for the operations of the unit in question, the Chief Investment Officer, and the Information Security Officer allows the electronic payment card data to be stored up to 180 days.
• Explicit written approval from the Information Security Officer is required to collect and/or store paper records containing payment card data. All such records must be stored in a secure fashion and must be destroyed with either a cross-cut shredder or a confetti shredder as soon as the data is no longer needed. These records cannot be stored for more than 15 days. If paper records are accidentally created containing payment card data, that data will be destroyed with either a cross-cut shredder or a confetti shredder.
• Group accounts and shared passwords are not allowed to access payment card data.
• Applications that store, process, or transmit payment card data need approval from the Information Security Officer before they can be upgraded or patched.

Significant Risk Areas

• Theft and unauthorized use of stolen credit card numbers.
• Lack of compliance with legal requirements.
• Bad publicity due to lack of stewardship.

Inventory for Resale

This ICQ is used to evaluate internal controls associated with how inventory is physically safeguarded and secured, organized, current (not obsolete) and not excessive (based on the usage or sales), valued, and recorded.

Key Questions

• Are adequate records kept of the movement of goods?
• Does the Unit ever compare what they do have with what they should have?
• Are physical safeguards over the inventory adequate for its nature?

Critical Internal Controls

• Maintenance of perpetual records or other control records.
• Periodic physical counts.
• Balancing of physical count to control totals.
• Purchasing controls (bids, approvals, limits).
• Receiving reports, or other documents documenting incoming shipments of goods.
• Receipts documenting sale of goods.
• Various methods to control access to goods: security guards, locks, or a custodian.
• Accounting techniques that count the goods in the proper period (cutoff).
• Properly reflecting changes to inventory when sales, returns, etc. are made.
• Adequate separation of duties.
• Adequate management review and analysis of relevant data such as inventory turnover, shrinkage, markdown, and sales trends.

Significant Risk Areas

• Loss of revenue through inventory shrinkage (theft of goods).
• Loss of revenue through failure to recognize obsolescence, slow turnover, and low profit margins.
• Loss from paying excessive prices for inventory.
• Loss from poor purchasing decisions (i.e. materials were not needed, merchandise was not salable).
• Loss of sales and/or purchase of excess inventory due to poor physical organization of goods.

Risk Discussion Questionnaire

During the planning phase of an assurance audit, IACS may use the Risk Discussion Questionnaire (RDQ) to help focus the audit to more specific areas.

Please note: Audit clients do not need to complete these questions in advance but may desire to become familiar with it by reviewing the questions involved. IACS staff will work with you to complete the questionnaire.

Sample Questions

General Information

• Department or Process
• Contact Person
• Contact Phone
• Date Completed

1. What is the purpose/mission/objective of this unit or process?
2. How many employees work in the department? What is your organizational structure?
3. Do you have job descriptions for each employee? What is each of the employee's key responsibilities?
4. What documented policies and procedures are available?
5. What is the worst thing that could happen to this unit or process?
6. What is the worst thing that has already happened to this unit or process?
7. What are the critical interfaces (other work groups or processes) that give you the most concern (and why)?
8. Please describe the areas of your department's operations you feel are the most vulnerable to risk and any related internal control currently in place to offset those risks.

I. Systems, Data, Information Security

1. Please indicate if this area has implemented any new or extensive information systems within the past 12 months. If yes, was the software developed or purchased? What was the cost of implementation (hardware and software)?
2. What is the nature of the data processed by this unit or process? Is it private, confidential, proprietary, classified, financial, operational, sensitive, or public?
3. To what extent are policies, procedures, standards, and guidelines developed, implemented and enforced so that information system risk is minimized for this unit or process?
4. Are any information systems considered critical to the mission of this unit or process, or to the University as a whole?

II. Operations, Management Controls, and Accountability

1. If the department has been audited within the last 5 years by either an external group or IACS, please indicate when and by whom. (State auditors, federal auditors, other).
2. Does the department have a written and tested disaster recovery plan? If yes, was the plan specifically developed for your department?
   • University Disaster Recovery Plan
   • Departmental Disaster Recovery Plan
   • None
   If departmental plan, please describe what specific areas of operation (e.g. network interruption, disruption of routine business operations due to an emergency situation) the recovery plan addresses.
3. What procedures have been developed to monitor and evaluate employee performance in the areas of accountability and contribution toward attainment of management goals and objectives?
4. How much have procedures or processes changed in the last 12 months?
   • No changes
   • Some significant changes
   • Major changes have occurred to one or more procedures or processes, or a significant new system has been developed and implemented.
   Please specify details.
5. To what extent have reorganization, management turnover, employee turnover, or other departmental changes (e.g. budget size, size of operations) affected the environment of the area (experience, continuity, control, and accountability) in the last 12 months?
   • No changes
   • Moderate Impact
   • Significant Impact
   Please describe all relevant changes that have occurred in the department in the last 12 months.
6. Segregation of duties is an internal control where responsibilities are assigned so that no one individual controls all aspects of a process or transaction. Please choose the answer that best fits the department at this time:
   • No individual has full control over all aspects of a process or transaction.
   • Some individuals have full control over some transactions; however, there are some mitigating controls to reduce risk, such as a subsequent review of the transactions by another person.
   • Some individuals have full control over some transactions; there are no mitigating controls in place.

III. Financial Management

1. Please list all current fiscal year index codes, purpose, and associated fund balances available to or processed through the department.
   Include all of the following funds:
   • E&G
   • Designated
   • Restricted gift
   • Auxiliary
   • Restricted grant or sponsored program
   • Plant funds
2. Has management developed written rules, guidelines, policies, and/or procedures for all transactions and critical financial activities?
   • Yes
   • Somewhat
   • No
3. How often are actual income and expenditures monitored against the budget and are significant variances identified and reported to management?
   • Monthly
   • Annually
   • Not at all
4. How many cash collection points exist in your department?
   • None
   • 1-4
   • 5-10
   • 11-20
   • More than 20
   Please list the location of each cash collection point.

IV. Legal and Regulatory Compliance

1. Due to the mission of this unit or process, what is the level of inherent risk of fines, penalties, or lawsuits that may result from noncompliance with various federal or state regulations or agencies (e.g. EPA, OSHA, Title IV, Title IX, NCAA, and ORC)?
   • Not Applicable
   • Minimal
   • Moderate
   • Significant
   Please specify what regulations are applicable to this department or process.
2. Describe current measures taken to ensure compliance with any applicable regulatory body.
3. If the unit has grant or sponsored research funding, how is compliance with OMB Uniform Guidance ensured? What types of oversight are in place to monitor sponsored research activity?
4. How many employees or students have filed grievances or legal actions against the unit's employees within the past year? What was the basis of the complaint(s) and the outcome?

V. Public and Political Sensitivity

1. What is the level of inherent risk of adverse public relations or publicity due to the nature of the department's basic operations (e.g., research on human or animal subjects, hazardous waste disposal, research involving controlled substances, significant impact on students, access to confidential information)?
   • Minimal
   • Moderate
   • High
2. What controls currently exist to ensure that each faculty or staff member has a working knowledge of the conflict of interest policies of the University? Has there been any conflict of interest situations brought to management's attention in the last year?
3. How often, if ever, have negative stories resulting from a complaint or disagreement either from faculty, staff, or students, concerning this unit been publicized (or threatened with publication) in the local media?

VI. Other Questions

1. Do you know of anyone who is breaking the rules?
2. Has anyone in the organization asked you to do something that you thought was illegal or unethical?
3. What would you do if someone asked you to do something that you thought was wrong?