The JRMSU Main Campus adopts both manual and computerized collection processes.

In the manual collection process, official receipts (OR) are issued manually and
collections do not pass thru the Assessment-Cashiering Module. The manual collection
process is done usually for collection of payments during power interruption.

The Assessment-Cashiering Module - Cashier is the IT system used by the Collecting

Officer to process all collections received therein. This is directly linked to the Assessment
Cashiering Module in the Assessment Office, however, the functionality and the design is
totally different such that the functionality in the Cashier's Office is restricted purely to
collection. The Collecting Officer does not have access to edit or delete data assessed by the
Assessment Office. For the computerized collection process, the Cashier’s Office uses the
Assessment-Cashiering Module in the issuance of OR, and collections are automatically
posted in the student’s assessment records while collections from the Commission on Higher
Education (CHED) – Universal Student Financial Assistance System for Tertiary Education
(UniFAST) are automatically posted in the system upon generation of OR – posting of tuition
and other school fees assessed, in accordance with the Free Higher Education Act, for each
student are posted manually in the student’s assessment record.:

The Assessment-Cashiering Module is an internally developed information system

implemented to collect, update, process, and store student data such as personal information
and academic records. It aims to integrate the processes from Admission to Collection so that
the University’s main clients, the students, will have an easier time navigating the arduous
process of enrollment each semester. The development of the University enrollment to
collection process started in the early 2000s, with the Management Information System Office
(MISO) spearheading the project. However, there is no manual or handbook for the said
system. The system currently has five (5) sub-systems/modules that are integrated into one
whole system (1) Admission, (2) Registrar, (3) Loading, (4) Enlisting, (5) Assessment
Cashiering Module (for Assessment Office only), and (5) Assessment-Cashiering Module (for
Cashier Office only) to assist the enrollment process as follows:

Procedure Process Owner System

1. Online Registration Dean & Associate Dean of Accomplishment of
Processing of Enrollment Colleges Program Chair Google Form
and Approval Senior High School (SHS)
Principal
2. Pre-Enlisting/ Pre- Admission Office Admission Module
Encoding of Subjects & Registrar’s Office Loading Module Listing
Units Taken and Profiling Module
3. Assessment of Fees Assessment Office Assessment- Cashiering
Module
4. Payment of Fees Cashier’s Office Assessment- Cashiering
Module
5. Enlisting/Encoding Registrar’s Office Listing Module

Application controls are the structure, policies, and procedures applied to separate
individual application systems that are designed to ensure that data received for processing are
genuine, complete, accurate, and properly authorized.

Section 123 of PD 1445 provides that “Internal control is the plan of organization and
all the coordinate methods and measures adopted within an organization or agency to
safeguard its assets, check the accuracy and reliability of its accounting data, and encourage
adherence to prescribed managerial policies. Also, Section 124 provides that “It shall be the
direct responsibility of the agency head to install, implement, and monitor a sound system of
internal control.”

Our evaluation of the Assessment-Cashiering Module in the Cashier’s Office

disclosed several control weaknesses in its design and implementation procedures as follows:

Personnel who are not authorized by the University’s competent authority to handle
the collection function were granted login credentials to the Cashier Sub-System and were
allowed to handle the collection function. Likewise, one of the cashier personnel with a
Contract of Service (COS) status had been allowed to handle the collection function using the
log-in credentials of one of the Collecting Officers.

As of September 2021, the Cashier’s Office which is under the Administration and
Finance Office is headed by the University’s Cashier with a duly designated Collecting
Officer, who is properly bonded, and whose main duty and responsibility is to collect
payments and remit the same to the University’s bank account.

We observed, however, that the designated collecting officer has three sub-collecting
officers (SCOs), verbally assigned and are not bonded, who help process collections. 1/3 of
the sub- collector is personnel with Job-Order (JO) or Contract of Service (COS) status. All
three SCOs do not have their own username and password to access the system. They only
use the username and password of the Collecting Officer. At the end of the day, all cash
collections whether processed by the CO/SCO are the accountability of the CO. The CO will
close the system by generating the collection report for the day and tallies the total collection
as reflected in the system with the total cash collected by the CO/SCO.

Unauthorized personnel who are given access to data entry can compromise the
integrity of application data and could result in fraudulent or malicious transactions which
could result in the loss of government funds.

Edit routines are not embedded within the application that checks and subsequently
rejects input information that does not meet certain criteria, including but not limited to
invalid field length and duplicate transaction entries/numbers.

Our review disclosed that the serial number (SN) of the OR is encoded in the first
entry of the collection by the user. For the succeeding transactions, the system provides the
OR number sequentially following the encoded OR number in the first collection, so that the
CO/SCO needs not to encode the OR number for every transaction. However, we noted that
the system accepts or does not reject entry that is not within the series of the previous OR
issued. The CO/SCO may encode any OR number in the following collections and the system
does not have an embedded control that would reject SN which have already been used or
encoded in the system, therefore allowing duplicate entries or any number of OR not part of
the previously encoded number.

Overriding or bypassing data validation and editing control is not in place.

We noted that there is no control in place to ensure that all modifications/corrections

to the previously recorded transactions were duly authorized before being entered into the
computer system. There is no appropriate segregation of duties to prevent users from both
entering and authorizing modification in the previously recorded/saved data in the system.
Cancellation of previously issued OR for payments that have already been recorded in the
system, of which a copy of the OR has already been printed, were authorized by the users
themselves. There is no supervisor other than the CO/SCO who approved cancellation of
previously recorded OR in the system. This process allowed users to be in control of data
entries that could result in the manipulation of data entries by the users.

We recommend that Management:

a. Ensure that only personnel duly designated by the University’s competent

authority and bonded are allowed to perform collection functions and have
access to the application system.

b. Ensure that controls and procedures are in place so that all transactions are
authorized and reports generated, submitted, and recorded in the books are
accurate and complete.
c. Enhance the present application by ensuring that such controls and procedures are built
in the system such as but not limited to:

 Automated data and validation checks to avoid duplicates and acceptance by the system
of OR not within the parameter/range set in the system and requiring a supervisor or
the CO to encode the first series of OR to be used during the day;

 Automated authorization, approval, and override controls to edit transactions that have
already been saved in the system. A supervisor or the Cashier should authorize any
correction and/or cancellation of a previous entry in which an OR has already been
issued; and

 Enhance the present reporting facility of the Assessment-Cashiering Module

particularly the Daily Collection Report which should contain the following fields: OR
Number, Name of Student, Nature of Collections, and Amount of Collection.