Best Practice FAQ

(Controls) What are good internal controls? Why should I be concerned?

Good internal controls safeguard or make more efficient and effective use of University assets. They are good business practices that assist you in achieving your objectives. Good internal controls are cost effective, timely, and flexible. Good controls are placed where they are most effective and identify both the problem and its cause.

Senior administrators are responsible for developing a good system of internal controls, but all employees should be concerned about maintaining good internal controls because they are concerned about achieving their objectives.

(Controls) What are "Preventative Controls?"

Preventative controls are designed to discourage or preempt errors or irregularities from occurring. They are more cost-effective than detective controls. Credit checks, job descriptions, required authorization signatures, data entry checks, and physical control over assets to prevent their improper use are all examples of preventive controls.

(Controls) What are "Detective Controls?"

Detective controls are designed to search for and identify errors after they have occurred. They are more expensive than preventive controls, but still essential since they measure the effectiveness of preventive controls and are the only way to effectively control certain types of errors. Account reviews and reconciliations, observations of payroll distribution, periodic physical inventory counts, transaction edits, and internal auditors are all examples of detective controls.

(Controls) What are "Corrective Controls?"

Corrective controls are designed to prevent the recurrence of errors. They begin when improper outcomes occur and are detected and keep the "spotlight" on the problem until management can solve the problem or correct the defect. Quality circle teams and budget variance reports are examples of corrective controls.

(Controls) How are controls evaluated?

Auditors evaluate the effectiveness of an operation's internal controls by first gathering information about how a unit operates, identifying points at which errors or inefficiencies are possible, and identifying system controls designed to prevent or detect such occurrences. Then, they test the application and performance of those controls to assess how well they work. You can evaluate controls in your department's operations by following the same process.

(Document Retention) What do I need to know about Document Retention?

University related records are the a source of an organization's institutional memory that document management decisions, provide historical references of transactions and events, enhance an organization's operational efficiencies, demonstrate regulatory compliance, and provide support in the case of litigation. All records have a legal lifecycle and it is the organization's responsibility to maintain, store and dispose of these records appropriately. Ohio University Policy 93.002: Records Management and Archiving provides the basic framework and information for a maintaining a consistent, reliable, and legal records retention program for record retention at the University.

The Inter-University Council (IUC) of Ohio establishes and consistently updates a records retention manual which contains the legal guidelines that are necessary for creating records retention schedules for virtually every common university records series. The manual, which is the result of the combined work of a team of legal records experts and university records managers from Ohio colleges and universities, also suggests that a records retention program should include:

  • an inventory of an organization's records—paper based and electronic
  • a records retention schedule
  • a mapping of the inventory to the records retention schedule
  • policy and procedures for: the storage and retrieval of records, the conversion records (if necessary), a vital records program, disaster prevention and recovery, the appropriate disposal of records through destruction, or transfer to an archives

Each planning unit is responsible for developing a records retention template that is approved by the University Records Manager. In addition, the planning unit head, or designee, is responsible "with guidance and approval of the University Records Manager, to conduct records inventories and analyses and to establish the official records retention schedules for their respective units."

Specific records retention questions are best answered by Bill Kimok, Archivist and University Records Manager, at 740-593-2712.

(Information Processing Controls) What are Information Processing Controls?

Automation checks for accuracy, completeness, and authorization of transactions. Data is subject to edit checks or matching to approved control files. Numerical sequences of transactions are accounted for, file totals are controlled, and reconciled with prior balances and control accounts. Development of new systems and changes to existing ones are controlled, as is access to data, files and programs.

(Physical Controls) What are Physical Controls?

Equipment, inventories, securities, cash, and other assets are secured physically, periodically counted, and compared with amounts shown on control records. Access is restricted to those with authority to handle them.

(Policies/Procedures) What policies and procedures do we need?

Policies and procedures can be classified as operational or administrative.

"Operational" refers to the activities conducted in your office or department to directly achieve your main objectives. Generally, these activities are specific to your operation because, after all, your unit – not another - is the one that does the things it does! The Office of Audit, Risk, and Compliances' operational activities, for example, include audit and consulting activities. Student Financial Aid's operational activities include advising and processing loans and scholarships.

"Administrative" refers to the activities performed in support of your unit's objectives. These activities are usually performed in some fashion in most units. Both the Office of Audit, Risk, and Compliance and Student Financial Aid departments generate or keep records and reports; expend, collect and budget money; and hire and develop employees, to name just a few common administrative activities.

Because both types of activities are important to your department's ultimate success, you should prepare and include in your manual policies and procedures for both types of activities, too. For example, your prime operating objective may be to collect revenue. You will want to include detailed instructions on how to process cash receipts, along with details of who performs each task, when they perform them, and the like. Your office may also employ several students. Although student payroll processing is handled by the payroll department and is not your operational responsibility, the payment of your students does affect your own "bottom line." Because it's part of your support functions, you should also include detailed instructions on the tasks involved in processing payroll for your student employees, from time collection and authorization to labor distribution report review and reconciliation.

(Reconciliations) What are Reconciliations?

Reconciliations are comparisons made between similar records maintained by different persons to verify transaction details.

(Reviews) What are Transaction and Activity Reviews?

This is where managers review performance reports. They may relate different sets of data - operating or financial - to one another, together with analyses of the relationships.

(Segregation of Duties) What is "segregation of duties?"

This is when duties are divided, or segregated, among different people to reduce the risk of error or inappropriate actions. For instance, responsibilities for authorizing transactions, recording them, and handling the related asset are divided.

Examples include:

  • (Finance) A classic example is cash handling. Procedures should be segregated so that no one person is performing all of the steps in the process.
  • (IT) For critical information systems, or information systems that process sensitive data, it is a best practice for software development to be kept separate from the deployment of software. In this way, one person cannot independently implement and deploy a malicious feature. Change Management processes often enforce a segregation of duties between software developers and system administrators.
(Segregation of Duties) How do I ensure that duties performed in my department are properly segregated if there are only two employees in the department?

It can often be difficult for small departments to properly segregate specific functions that it performs. For example, if a department only has three employees and it bills, collects, records, and deposits revenue, it can be a challenge to ensure proper controls over these procedures. In situations such as these, management oversight becomes very important. Management should review all invoices prepared and thoroughly review monthly financial reports and reconciliations. Management should also sign off on any documents they review.