7/26/22, 1:44 PM Internal Controls Guidance - Audit and Compliance Services

Audit and Compliance Services

(/)
|
Audit and Management Services
(/audit-and-management-services/)
  (/) About us (/about/) Search ACS

University Code of Conduct (/integrity-and-compliance-office/vcu-code-of-

Audit and Management
conduct/)
Services
(/audit-and- Internal controls
management-services/) guidance
Universitywide Policies (http://policy.vcu.edu)
Services (/audit-and-management-
services/services/) Operational Information
Reporting Concerns (/about/reporting-concerns/)
Internal Audit process (/audit-and- internal Technology
management-services/internal-
audit-process/) controls Internal
Audit primer (/audit-and- Controls
Documentation of
management-services/audit-primer/)
significant processes
Software licensing

Internal controls (/audit-and-

management-services/internal- Segregation of duties
Sharing of ID’s and
controls/) Authorization of passwords

Internal Controls Guidance (/audit- expenditures and Terminating systems

and-management-services/internal-
controls-guidance/) travel
access

Reconciliations of Disaster recovery and

How are areas selected to be
audited? (/audit-and-management- records
business continuity

services/how-are-areas-selected-to- Employee training

be-audited/) Data backup and

Delegation of recovery

Why are audits necessary? (/audit-

and-management-services/why-are- authority
IT asset inventory

audits-necessary/) Purchasing card Web application

FAQ (/audit-and-management- monitoring
security

services/faq/)
Cash controls
Employee turnover
Audit survey (/audit-and- Policies and
management-services/audit-survey/) checklist

procedures
Patching systems

Fixed assets Virus, spyware,

management
adware and malware
Business purpose prevention

documentation
Server, operating

https://acs.vcu.edu/audit-and-management-services/internal-controls-guidance/#oic3 1/15
7/26/22, 1:44 PM Internal Controls Guidance - Audit and Compliance Services

Approval of time system and database

records
security, and physical
Performing annual security

performance Change controls

evaluations
Network security
Petty cash accounts controls

Reporting lost or
stolen computing
Sponsored devices, lost sensitive
Programs information or
Internal hacking attempts

Controls
(University
Only)
Pre-award

Effort reporting and

salary

Post-award
administration

Award close-out

Operational Internal Controls

Documentation of significant processes —

Identify all significant department-specific
activities or processes for which your
department is responsible. Document each
process, step by step, including the job titles
responsible for steps. Having such processes
documented is an excellent starting point for
determining and evaluating where risks or
internal control weaknesses may exist.

Segregation of duties — No one person

should have control over all aspects of any
financial transaction or process. Divide duties
among staff members to reduce risk of error
or inappropriate actions. Segregation of
duties also counts as a deterrent to fraud by
making it more difficult for an individual to
commit fraud without detection.


https://acs.vcu.edu/audit-and-management-services/internal-controls-guidance/#oic3 2/15
7/26/22, 1:44 PM Internal Controls Guidance - Audit and Compliance Services

General categories of functions to be

separated:

Authorization of transactions
Recording of transactions
Custody of assets (receiving checks
in mail for example)
Reconciliations — Reconciliation and
audit functions should not be
performed by the same employee
who performs the task being
reconciled or audited.

If a single person has duties in two or more of

these categories for a single type of
transaction, additional segregation of duties
should be considered, or there should be
other internal controls built around the
process, such as more stringent supervisory
review, to mitigate the weakness.

Examples:

A single individual should not be able

to authorize a purchase and also
record that purchase in the
accounting records.
A single individual should not
authorize his own time off and/or his
own timesheets.
A single individual should not
authorize himself/herself to work
overtime, or approve his/her own
overtime pay.
A single individual should not
authorize a purchase order and
receive the goods or services
ordered.
A single individual should not
generate invoices for services 

https://acs.vcu.edu/audit-and-management-services/internal-controls-guidance/#oic3 3/15
7/26/22, 1:44 PM Internal Controls Guidance - Audit and Compliance Services

rendered and also receive payments

on those invoices.

Authorization of expenditures and travel —

Expenditures and travel should be properly
authorized. If a payment is to an employee,
that payment should be approved by
someone other than the payee.

Reconciliations of records — Reconciliations

of records, such as monthly general ledger or
purchasing card expenditures, should be
reviewed by someone other than the preparer
of either record. The reconciliation should be
signed and dated by both the preparer and
reviewer.

Employee training — Employees should have

appropriate training to carry out their job
duties and should have an appropriate level
of supervision.

Delegation of authority — In today’s busy and

dynamic environment it is impossible for one
individual to perform all the duties and tasks
that are required to achieve the university’s
objectives. To meet the needs of their
customers, managers delegate authority to
staff so that decisions and related actions can
occur in a timely manner. Delegation of
Authority (DOA) is the formal process in which
one person delegates the authority and
responsibility to another person to carry out
specific activities. Typically a manager will
delegate to a subordinate a certain authority
for a specific transaction (e.g., approve
reimbursements up to $500). However, the
person who delegated the work remains
accountable for the outcome of the delegated
work, even if the delegation is through an
outsourcing arrangement. If DOA is done

properly the university can save time and

https://acs.vcu.edu/audit-and-management-services/internal-controls-guidance/#oic3 4/15
7/26/22, 1:44 PM Internal Controls Guidance - Audit and Compliance Services

money while building the skills of its

workforce. Managers should develop a
framework in which they document the types
of transactions and related dollar thresholds
in which they delegate their authority to
another individual. Managers need to ensure
that individuals who received delegated
authority have been properly trained and are
well versed in university policies that govern
the authority delegated.

Purchase card monitoring — The key control

to ensuring the effectiveness of your unit’s
purchase card program is a strong
supervisory review and approval process.

Purchasing card policies by entity can be

found as follows:

VCU purchasing card policies

(https://procurement.vcu.edu/i-
want-to/use-a-p-card/)
VCUHS purchasing card policies (this
link requires either health system
network access or use of the health
system’s Virtual Private Network).
MCVP has a separate purchasing
card program from VCUHS. MCVP
policies are available from the MCVP
purchasing card program
administrator in MCVP’s Finance
department.

Compliance with these guidelines may be

achieved through a monthly supervisory
review of cardholders’ Statement of Account
and supporting documentation and evidenced
by the reviewer’s signature. Additionally, the
business reason or the request to order
should be documented, at a minimum, for
purchases or from businesses that employees
might use outside of work such as a general
retailer (e.g., Sams Club, Kroger or Home 
Depot).
https://acs.vcu.edu/audit-and-management-services/internal-controls-guidance/#oic3 5/15
7/26/22, 1:44 PM Internal Controls Guidance - Audit and Compliance Services

Perform the monthly supervisory review:

Ensure that adequate receipts are

present and match all purchases
shown on the cardholders’ monthly
statement.
If supporting documentation is not
provided, request the cardholder to
provide it or obtain a copy from the
vendor.
Validate the business
appropriateness of items purchased.
If questionable transactions are
identified, contact the cardholder for
an explanation of the transaction.
Validate the explanation with other
departmental personnel, if possible
(e.g., the explanation provided was
that the item was purchased at the
request of Dr. Smith).
If the cardholder is not able to
appropriately support or explain a
questionable transaction, contact the
Purchasing Card Administrator.
Ensure that Purchasing policies are
being followed:
Transactions are not split to avoid
single transaction limits or card limits.
Sales tax is not paid unnecessarily.
Sign and date the monthly statement
to document that the review has
taken place.

Cash controls — Any unit collecting cash,

maintaining a cash fund or maintaining gift
cards (usually for research subject
participation) needs to ensure that cash and
gift cards are sufficiently safeguarded and
accounted for. The following principles of 
good cash handling will be discussed in

https://acs.vcu.edu/audit-and-management-services/internal-controls-guidance/#oic3 6/15
7/26/22, 1:44 PM Internal Controls Guidance - Audit and Compliance Services

greater detail: Segregation of Duties, Security,

Reconciliation, Management Review and
Documentation.

Segregation of Duties: Cash handling duties

can be divided into four stages: receiving,
depositing, recording and reconciling. Ideally,
all four stages would be performed by
different individuals. The purpose of this
segregation of duties is to minimize the
opportunity for an employee to
misappropriate funds without detection. In a
smaller department, it may not be feasible to
fully segregate all cash-related duties. In
these circumstances, the department may rely
on compensating controls (e.g., increased
monitoring) to mitigate the risk that cash is
lost or misappropriated.

Security: Keep all cash in a safe until it is

deposited. For areas with regular cash
receipts, a drop safe is recommended with
“anti-fishing teeth” to limit access to the
contents of the safe. Regardless of the type of
safe used, limit access to supervisory and
authorized personnel only. Change the
combination of the safe on a regular basis
(e.g., annually) or when an employee who
knows the combination to the safe leaves the
department. Finally, cash or checks totaling
$100.00 or more must be deposited within 24
hours of receipt.

Reconciliation and Documentation: Cash

collections must be reconciled on a daily
basis to the applicable system to ensure the
completeness of receipts.

Health System only — Each Patient Access

Representative collecting funds must
complete an FDPP User Reconciliation Form.
Each Patient Access Supervisor must
complete a daily Front Desk Department 
Reconciliation form. Reconciliation procedures

https://acs.vcu.edu/audit-and-management-services/internal-controls-guidance/#oic3 7/15
7/26/22, 1:44 PM Internal Controls Guidance - Audit and Compliance Services

are available at http://lawsonerp.mcvh-

vcu.edu/MCVPFinanceDepartment/MCVPForms.aspx
(this link requires either health system
network access or use of the health system’s
Virtual Private Network)

Management Review: On a monthly basis, an

employee who does not collect funds should
reconcile deposit receipts to the general
ledger accounts to ensure cash receipts were
properly deposited and credited to the
general ledger account. Also, the remaining
cash and gift cards should be counted and
added to the receipts to make sure the
authorized cash fund balance is fully
accounted for.

Documentation: Records of deposits made

must be documented and retained to assist in
the performance of reconciliations.
Reconciliations between local records (e.g.,
receipts) and the general ledger revenue
reports must be performed on a monthly
basis. Documentation that the reconciliation
was performed and that reconciling items
were investigated and resolved must be
retained.

Policies and procedures — Policies and

procedures should be maintained in sufficient
detail, should be updated at least once every
three years and should be made available to
all personnel.

Fixed assets management — Fixed assets

should be properly recorded and controlled to
provide safety and protection from theft,
abuse or misuse. All assets with a dollar value
over $2,500 are required to be registered
with the Controller’s Office as a university
fixed asset. The fixed asset custodian should
ensure that the equipment is appropriately
identified, tagged and tracked. To ensure 
appropriate fixed asset controls, a sample of

https://acs.vcu.edu/audit-and-management-services/internal-controls-guidance/#oic3 8/15
7/26/22, 1:44 PM Internal Controls Guidance - Audit and Compliance Services

fixed assets registered with the Controller’s

Office and a sample of assets identified
during a walkthrough of facilities should be
reviewed to ensure that all assets are
appropriately identified and tracked. The fixed
assets custodians are also responsible for
ensuring that assets are removed from the
fixed asset registry in a timely manner,
performing a full reconciliation of assets
annually, and certifying that all assets are
appropriately accounted for and reflected in
the fixed asset registry.

Business purpose documentation —

Documentation should be retained supporting
the business purpose of each expenditure.

Approval of time records — In order to ensure

the propriety of submitted hours, employee
time records should be reviewed by their
supervisors. If feasible, overtime should be
approved in advance.

Performing annual performance evaluations

— Performance evaluations are valuable tools
that provide staff members with feedback on
their performance and accomplishments for
the previous year. They also assist staff
members in understanding their job
responsibilities and supervisor’s performance
expectations. Evaluations are expected to be
fair, representative of actual performance,
written and performed on an annual basis.
Failure to provide documented evaluations
could complicate later disciplinary processes.

Petty cash accounts — Petty cash accounts

should be established at a fixed amount.
Access to petty cash funds should be
restricted to a designated petty cash
custodian. Each time petty cash is expended,
the custodian should obtain and maintain a
valid receipt for the expenditure, such that the 
sum of petty cash receipts plus the amount in

https://acs.vcu.edu/audit-and-management-services/internal-controls-guidance/#oic3 9/15
7/26/22, 1:44 PM Internal Controls Guidance - Audit and Compliance Services

petty cash always equals the established

amount of the fund. Receipts should be
turned in along with a request for
replenishment of petty cash, to document the
business purpose of each expenditure.

Information Technology Internal Controls

Software licensing — Software should only be

used if it is properly licensed to ensure that
only legally procured systems are used.

Sharing of ID’s and passwords — Each user of

an IT system should be assigned their own
username and be made to create their own
unique password. ID’s and passwords should
not be shared among users.

Terminating systems access — A process

should be in place to timely remove system
access when it is no longer needed, whether
due to a change in the user’s job or to
termination.

Disaster recovery and business continuity —

Departments should develop disaster
recovery and business continuity plans to be
reviewed and approved by senior
management. Implementation of these
enhancements can reduce downtime and
facilitate business continuity in the event of a
disaster. Documented disaster recovery
procedures, as well as periodic testing and
review of these procedures, alert the
department to possible recovery obstacles
and the accuracy of recovery times.

Data backup and recovery — Backups should

be performed daily and the backup process
tested on a regular basis to ensure the
continuity of data.

IT asset inventory — Information technology

assets and their locations should be 
inventoried in order to secure and track all
https://acs.vcu.edu/audit-and-management-services/internal-controls-guidance/#oic3 10/15
7/26/22, 1:44 PM Internal Controls Guidance - Audit and Compliance Services

equipment used. An accurate IT asset

inventory will help ensure proper
configuration.

Web application security — Web applications

and websites should be protected against
cross-site scripting, SQL injection, denial-of-
service and other attacks through the use of
testing, digital signatures and quality coding.

Employee turnover checklist — A checklist

that details all the necessary steps to be
performed when an employee changes jobs
or separates from employment should be
maintained. Completion of the checklist at job
separation will help eliminate system access
that is no longer appropriate.

Patching systems — Systems should be

patched automatically on workstations and no
less than monthly on servers. For critical
systems, patches should also be tested prior
to implementation and testing results
documented.

Virus, spyware, adware and malware

prevention — Antivirus and malware software
should be used and maintained at a current
version to protect from any potential attacks
and users should be trained against social
engineering.

Server, operating system and database

security, and physical security — Both
intrusion prevention and detection software
should be used to prevent or identify potential
attacks. Logs should be stored on another
server and reviewed on a regular basis for
abnormalities. Default passwords should be
changed; unnecessary factory default
services should be disabled and routine
patching of the operating system, database
and webserver should occur.


https://acs.vcu.edu/audit-and-management-services/internal-controls-guidance/#oic3 11/15
7/26/22, 1:44 PM Internal Controls Guidance - Audit and Compliance Services

Change controls — System changes should

be documented, tested and approved before
implementation to ensure that changes will
not negatively affect systems. All testing
should be documented and a back-out plan
(restoring to the previous software state)
should be prepared in case the change needs
to be revoked.

Network security controls — Data networks

should be compartmentalized based on use
and type of data transmitted. Firewalls or
filters should be applied to limit network
addresses or services allowed to occur
between compartments and the Internet. If
physical or wired assess is not relied on to
gain access to the network (as in the case of
remote network access) then additional
factors of authentication are necessary, such
as logon identifiers and passwords, tokens or
biometrics. Two-factor authentication should
be used to authenticate privileged users with
access to sensitive systems. Wired and
wireless networks should be diagrammed.
Network monitoring, network device patching,
IT asset inventory and configuration
management software processes should exist
to protect the network and the devices
supported therein.

Reporting lost or stolen computing devices,

lost sensitive information or hacking attempts
— Management should report missing
computing devices to either the health
system’s or university’s Information Security
Officer (ISO). Theft of computing devices must
be reported to the VCU Police. In addition,
data breaches or suspected successful
hacking attempts should be report to either
organizations’ ISO and the Privacy Officer.

Sponsored Programs Related Internal

Controls 

https://acs.vcu.edu/audit-and-management-services/internal-controls-guidance/#oic3 12/15
7/26/22, 1:44 PM Internal Controls Guidance - Audit and Compliance Services

Pre-award — To ensure compliance with

sponsored agreement requirements,
individuals involved in sponsored programs
must follow university procedures for the
solicitation, review, approval and submission
of proposals with financial budgets.

Effort reporting and salary — Employees are

required to certify effort expended on
sponsored program research activity to
ensure that salaries are calculated and
charged correctly in accordance with
sponsored agreements, federal regulations
and university policy.

Post-award administration — Issued by the

Office of Management and Budget in 2013,
the Uniform Administrative Requirements,
Cost Principles, and Audit Requirements for
Federal Awards — Final Rule, supersedes and
streamlines previous OMB Circular
requirements. The university as well as
financial administration personnel must
comply with new guidance in areas such as
procurement, indirect Facility and
Administrative costs, and performance
measurement and reporting.

Award close-out — The closeout process

spans several different functions: financial,
regulatory and administrative. The financial
process is mostly handled through the
departments that receive the awards and the
Grants and Contracts Accounting Office, and
includes ensuring that agreed upon services
and work-product have been billed to the
sponsor and payments have been received.
Regulatory closeout includes filing any
required reports with the appropriate agency
or sponsor. The administrative closeout
includes notification and providing closeout
documentation to the Office of Sponsored


https://acs.vcu.edu/audit-and-management-services/internal-controls-guidance/#oic3 13/15
7/26/22, 1:44 PM Internal Controls Guidance - Audit and Compliance Services

Programs, who inputs and maintains

information in InfoEd, the system of record for
all sponsored programs.

Request a Consultation
(mailto:EMCCLINTON@VCU.EDU)

Audit and Management Services can assist

you with internal control self-assessment tools
that are relevant to your department or
function. Additionally, we can explain control
concepts in greater detail and how to
implement or improve internal controls in your
area. To arrange a consultation, please
contact the director of audit or the deputy
directors of the following audit functions:
health system, IT or university.

Virginia Commonwealth University VCU Health

(https://www.vcu.edu)
(http://www.vcuhealth.org/)

Audit and Compliance Services (/)

Audit and Compliance Services (/)

Stokes House
One Capitol Square

918 West Franklin Street

830 East Main Street, Suite 1802

Box 842503
Box 980471

Richmond, Virginia 23284-2503

Richmond, Virginia 23298-0471

Phone: (804) 828-2336 (university)

Phone: (804) 828-0500 (health
Contact Us (mailto:kedrew@vcu.edu) system)

Contact Us
(mailto:natalie.powers@vcuhealth.org

Updated: (https://t4.vcu.edu/terminalfour/page/directEdit#edit/555/en/59037) 06/23/2021 Privacy

(https://www.vcu.edu/privacy-statement/) | Accessibility (https://accessibility.vcu.edu/) | Webmaster
(mailto:webmaster@vcu.edu)


https://acs.vcu.edu/audit-and-management-services/internal-controls-guidance/#oic3 14/15
7/26/22, 1:44 PM Internal Controls Guidance - Audit and Compliance Services

https://acs.vcu.edu/audit-and-management-services/internal-controls-guidance/#oic3 15/15