Office of University Audit
Best Practices Presentations
Thank you for visiting the Office of University Audit’s Best Practices page. Below you will find tools and resources that will assist with identifying, understanding, mitigating and managing risk. Also of note, we have provided guidance regarding the key roles and responsibilities for an effective system of financial management controls. Please do not hesitate to reach out to any of my staff if you have comments, questions regarding any of the information below, or if you would like to see additional guidance documentation provided. Meliora!
- revised February 2017
A critical component of the University’s internal control environment over financial transactions is the departmental Financial Management activities of analyzing, reviewing and reconciling transactions in a timely manner. There are limited preventive (or “front-end”) internal controls for the processing of revenue and expenditure transactions due to established University procedures, as well as the decentralized University environment. Furthermore, within the initiating departments (at the “back-end”), there is no single internal control that would detect incorrect, unauthorized or inappropriate transactions. Rather there is a set of controls working together to mitigate risk to acceptable levels. The purpose of this document is to:
- define key internal control terminology,
- recommend internal control procedures, and
- provide detailed written guidance for all departments and sub-units regarding Financial Management and internal control procedures.
An important first step to implement Financial Management and internal control procedures is to complete the FAO Inventory and Self-Analysis Worksheet (.xls). The FAO Inventory identifies all FAOs within a department. Performing the Self-Analysis assists in determining which internal control procedures will be used to address the risk associated with each FAO and documents department management’s expectation of the scrutiny and accountability placed on these FAOs. Members of OUA are available to discuss internal controls, including those presented in this document.
Fraud in the Workplace: Prevention and Detection (.pdf) September 2013
Overview of Internal Controls and Risk(.pdf) August 2018
Controls Are EVERYBODY'S Business (.pdf) November 2003
Three Lines of Defense Model (.pptx)
- Internal controls are a set of systems, processes and people that collectively ensure that the University achieves the its goals (Operational, Internal and External Financial Reporting and Legal and Regulatory Compliance). In order to achieve these goals, the University must have in place an effective internal control and risk management structure across the institution. The Lines of Defense model provides a simple and effective way to enhance communications on risk management and control by clarifying essential roles and duties. It provides a fresh look at operations, helping to assure the ongoing success of risk management initiatives. Key stakeholders in the Lines of Defense model are:
- Board of Trustees, Audit and Risk Committees and Executive Management
- Business Operations: Departmental, Operational and Functional Management
- Oversight Functions: Risk Assurance Functions (Academic and Medical)
- Independent and Objective Assurance: Internal Audit
- External Auditors and Regulators
- Cost sharing is the portion of project costs that is not funded by the sponsor. Cost sharing can be mandated by a sponsor when the sponsor includes such terms in an award. In such circumstances, the sponsor’s expectation is that such costs are being provided to the sponsor free of charge. Cost sharing can also be voluntary which means not required by the sponsor, but included by the PI to enhance the proposal. Specifically pledged in the proposal’s budget or award. Conflicts of interest occur when a person is in a position to influence University business, research, or other decisions for personal gain or improper advantage to third parties.
- The Principal Investigator (PI) is ultimately responsible for both the technical goals of a research project and the fiscal management of such project, in accordance with sponsor and University regulations.
- These audits provide reasonable assurance that Federal awards are expended only for allowable activities and that the cost of goods and services charged to Federal awards are allocable and in accordance with applicable cost principles.
- This should serve as a reference guide to policies and procedures concerning University business travel and conference expense. It should simplify what is an allowable reimbursement in accordance with University policies. The goal is to give you a clear understanding of how you can use the University's policies and procedures to your own and the University's advantage.
- Safeguarding cash or checks received involves proper internal controls surrounding the receipt process. Lack of any of the controls below may be an indication of weaknesses in the control structure that could allow fraud to occur.
- During the 2017 Administration and Finance Conference, the Office of University Audit gave a presentation that emphasized the fiduciary responsibilities of various roles throughout the University, and Risks and Internal Controls. Risk is an inherent and unavoidable aspect of the University of Rochester’s missions, operations, and objectives. Internal controls are a set of systems, processes and people that collectively ensure that the University achieves its goals (Operational, Internal and External Financial Reporting and Legal and Regulatory Compliance). In order to achieve these goals, the University must have in place an effective internal control and risk management structure across the institution.